b"Audit Report\n\n\n\n\nOIG-13-047\nReport on the Bureau of the Fiscal Service\xe2\x80\x99s Administrative\nResource Center Description of its Financial Management\nServices and the Suitability of the Design and Operating\nEffectiveness of its Controls for the Period July 1, 2012\nto June 30, 2013\nAugust 27, 2013\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                               August 27, 2013\n\n\n            MEMORANDUM FOR DAVID A. LEBRYK, COMMISSIONER\n                           BUREAU OF THE FISCAL SERVICE\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audits\n\n            SUBJECT:               Report on the Bureau of the Fiscal Service\xe2\x80\x99s Administrative\n                                   Resource Center Description of its Financial Management\n                                   Services and the Suitability of the Design and Operating\n                                   Effectiveness of its Controls for the Period July 1, 2012\n                                   to June 30, 2013\n\n\n            I am pleased to transmit the attached Report on the Bureau of the Fiscal Service\xe2\x80\x99s\n            Administrative Resource Center (ARC) Description of its Financial Management\n            Services and the Suitability of the Design and Operating Effectiveness of its Controls\n            for the period July 1, 2012 to June 30, 2013. Under a contract monitored by the\n            Office of Inspector General, KPMG LLP, an independent certified public accounting\n            firm, performed an examination of the description of controls, the suitability of the\n            design, and the operating effectiveness of the accounting and procurement\n            processing, and general computer controls (financial management services) provided\n            by ARC to various Federal Government agencies (customer agencies) for the period\n            July 1, 2012 to June 30, 2013. The contract required that the examination be\n            performed in accordance with generally accepted government auditing standards and\n            the American Institute of Certified Public Accountants\xe2\x80\x99 Statement on Standards for\n            Attestation Engagements Number 16, Reporting on Controls at a Service\n            Organization.\n\n            In its examination, KPMG LLP found in all material respects:\n\n                \xe2\x80\xa2   the Description of Controls Provided by ARC fairly presents the financial\n                    management services that were designed and implemented throughout the\n                    period July 1, 2012 to June 30, 2013,\n\x0cPage 2\n\n\n   \xe2\x80\xa2   the controls related to the control objectives stated in the description were\n       suitably designed to provide reasonable assurance that the control objectives\n       would be achieved if the controls operated effectively throughout the period\n       July 1, 2012 to June 30, 2013, and customer agencies applied the\n       complementary customer agency controls and sub-service organizations\n       applied the controls contemplated in the design of ARC\xe2\x80\x99s controls throughout\n       the period July 1, 2012 to June 30, 2013, and\n   \xe2\x80\xa2   the controls tested, which together with the complementary customer agency\n       controls and sub-service organizations\xe2\x80\x99 controls, if operating effectively, were\n       those necessary to provide reasonable assurance that the control objectives\n       were achieved, operated effectively throughout the period July 1, 2012 to\n       June 30, 2013.\n\nIn connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s report and related\ndocumentation and inquired of its representatives. Our review, as differentiated\nfrom an examination of the description of controls, the suitability of the design, and\nthe operating effectiveness of controls in accordance with generally accepted\ngovernment auditing standards, was not intended to enable us to express, and we\ndo not express, an opinion on ARC's description of controls, the suitability of the\ndesign of these controls and the operating effectiveness of controls tested.\nKPMG LLP is responsible for the attached independent service auditors\xe2\x80\x99 report dated\nAugust 22, 2013, and the conclusions expressed in the report. However, our review\ndisclosed no instances where KPMG LLP did not comply, in all material respects,\nwith generally accepted government auditing standards.\n\nShould you have any questions, please contact me at (202) 927-5789, or a member\nof your staff may contact Mark S. Levitt, Manager, Financial Audits at\n(202) 927-5076.\n\nAttachment\n\x0c                   U.S. Department of the Treasury\n                     Bureau of the Fiscal Service\n\n\n\n                  Administrative Resource Center\n                  Financial Management Services\n             Accounting and Procurement Processing and\n                    General Computer Controls\n\n\n\n\nReport on Administrative Resource Center\xe2\x80\x99s Description of Its Financial\n Management Services and the Suitability of the Design and Operating\n                    Effectiveness of Its Controls\n            For the Period July 1, 2012 to June 30, 2013\n\x0c                                       U.S. DEPARTMENT OF THE TREASURY\n                                         BUREAU OF THE FISCAL SERVICE\n                                       ADMINISTRATIVE RESOURCE CENTER\n                                       FINANCIAL MANAGEMENT SERVICES\n\n    REPORT ON ADMINISTRATIVE RESOURCE CENTER\xe2\x80\x99S DESCRIPTION OF ITS\n FINANCIAL MANAGEMENT SERVICES AND THE SUITABILITY OF THE DESIGN AND\n               OPERATING EFFECTIVENESS OF ITS CONTROLS\n\n                                                             Table of Contents\n\nSection                                                    Description                                                                             Page\n\n   I. Independent Service Auditors\xe2\x80\x99 Report Provided by KPMG LLP .......................................... 1\n\n  II. Management Assertion ................................................................................................................ 5\n\n III. Description of Controls Provided by the Administrative Resource Center ........................... 9\n\n        Overview of Operations ................................................................................................................ 10\n\n        Relevant Aspects of the Control Environment, Risk Assessment, and Monitoring...................... 18\n\n                Control Environment ........................................................................................................... 18\n                Risk Assessment.................................................................................................................. 18\n                Monitoring........................................................................................................................... 18\n\n        Information and Communication .......................................................................................... 20\n\n                Information Systems .......................................................................................................... 20\n                Communication .................................................................................................................. 21\n\n        Control Objectives and Related Controls\n            The Administrative Resource Center\xe2\x80\x99s control objectives and related controls\n            are included in Section IV of this report, \xe2\x80\x9cControl Objectives, Related Controls,\n            and Tests of Operating Effectiveness.\xe2\x80\x9d Although the control objectives and\n            related controls are included in Section IV, they are, nevertheless, an integral\n            part of the Administrative Resource Center\xe2\x80\x99s description of controls.\n\n        Complementary Customer Agency Controls ................................................................................ 22\n\n        Sub-service Organizations ............................................................................................................ 24\n\n IV. Control Objectives, Related Controls, and Tests of Operating Effectiveness ....................... 28\n\n        Accounting Processing Controls ................................................................................................... 29\n\n                Obligations .......................................................................................................................... 29\n\x0c             Disbursements ..................................................................................................................... 33\n             Unfilled Customer Orders, Receivables, and Cash Receipts .............................................. 38\n             Deposits ............................................................................................................................... 41\n             Payroll Accruals .................................................................................................................. 44\n             Payroll Disbursements ........................................................................................................ 45\n             USSGL ................................................................................................................................ 47\n             Accruals............................................................................................................................... 51\n             Government-Wide Reporting .............................................................................................. 54\n             Administrative Spending ..................................................................................................... 57\n             Budget ................................................................................................................................. 59\n             Manual Journal Entries........................................................................................................ 62\n             Federal Investments ............................................................................................................ 63\n             Suppliers and Banks Record Changes ................................................................................. 64\n\n     Procurement Processing Controls ................................................................................................. 65\n\n             Acquisitions and Contracts.................................................................................................. 65\n             Sufficiently Funded Requisitions ........................................................................................ 66\n\n     General Computer Controls .......................................................................................................... 67\n\n             System Access .................................................................................................................... 67\n             System Changes .................................................................................................................. 77\n             Non-Interruptive System Service ........................................................................................ 80\n             Records Maintenance .......................................................................................................... 84\n\nV.   Other Information Provided by Administrative Resource Center......................................... 87\n\n     Contingency Planning ................................................................................................................... 88\n\x0cI.   INDEPENDENT SERVICE AUDITORS\xe2\x80\x99 REPORT\n             PROVIDED BY KPMG LLP\n\n\n\n\n                     1\n\x0c                               KPMG LLP\n                               1676 International Drive\n                               McLean, VA 22102\n\n\n\n                             Independent Service Auditors\xe2\x80\x99 Report\n\n\nInspector General, U.S. Department of the Treasury\nDeputy Executive Director, Administrative Resource Center\n\nScope\nWe have examined the Bureau of the Fiscal Service\xe2\x80\x99s (Fiscal Service) Administrative Resource\nCenter (ARC) description of its accounting and procurement processing, and general computer\ncontrols used for processing (financial management services) Customer Agencies\xe2\x80\x99 transactions\nthroughout the period July 1, 2012 to June 30, 2013 (description) and the suitability of the design\nand operating effectiveness of controls to achieve the related control objectives stated in the\ndescription. The description indicates that certain control objectives specified in the description\ncan be achieved only if complementary Customer Agency controls contemplated in the design of\nARC\xe2\x80\x99s controls are suitably designed and operating effectively, along with related controls at the\nservice organization. We have not evaluated the suitability of the design or the operating\neffectiveness of such complementary Customer Agency controls.\n\nARC uses external service organizations (sub-service organizations). The description in Sections\nIII and IV includes only the control objectives and related controls of ARC and excludes the\ncontrol objectives and related controls of the sub-service organizations. Our examination did not\nextend to controls of sub-service organizations.\n\n\nService organization\xe2\x80\x99s responsibilities\nIn Section II, ARC has provided an assertion about the fairness of the presentation of the\ndescription, the suitability of the design and the operating effectiveness of the controls to achieve\nthe related control objectives stated in the description. ARC is responsible for preparing the\ndescription and for the assertion, including the completeness, accuracy, and method of\npresentation of the description and the assertion, providing the services covered by the\ndescription, specifying the control objectives and stating them in the description, identifying the\nrisks that threaten the achievement of the control objectives, selecting and using suitable criteria,\nand designing, implementing, and documenting controls to achieve the related control objectives\nstated in the description.\n\nThe information in Section V of management\xe2\x80\x99s description of the service organization\xe2\x80\x99s system,\n\xe2\x80\x9cOther Information Provided by ARC,\xe2\x80\x9d is presented by management of ARC to provide\nadditional information and is not a part of ARC\xe2\x80\x99s description of its system made available to\nCustomer Agencies during the period July 1, 2012, to June 30, 2013. Information in Section V\nhas not been subjected to the procedures applied in the examination of the description of the\nsystem and of the suitability of the design and operating effectiveness of controls to achieve the\nrelated control objectives stated in the description of the system, and, accordingly, we express no\nopinion on it.\n\n\n\n\n                                                            2\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cService auditors\xe2\x80\x99 responsibilities\nOur responsibility is to express an opinion on the fairness of the presentation of the description,\nthe suitability of the design and the operating effectiveness of the controls to achieve the related\ncontrol objectives stated in the description, based on our examination. We conducted our\nexamination in accordance with attestation standards established by the American Institute of\nCertified Public Accountants (AICPA) and applicable Government Auditing Standards issued by\nthe Comptroller General of the United States. Those standards require that we plan and perform\nour examination to obtain reasonable assurance about whether, in all material respects, the\ndescription is fairly presented, the controls were suitably designed and the controls were\noperating effectively to achieve the related control objectives stated in the description throughout\nthe period July 1, 2012 to June 30, 2013.\n\nAn examination of a description of a service organization's system and the suitability of the\ndesign and operating effectiveness of the service organization's controls to achieve the related\ncontrol objectives stated in the description involves performing procedures to obtain evidence\nabout the fairness of the presentation of the description and the suitability of the design and the\noperating effectiveness of those controls to achieve the related control objectives stated in the\ndescription. Our procedures included assessing the risks that the description is not fairly\npresented and that the controls were not suitably designed or operating effectively to achieve the\nrelated control objectives stated in the description. Our procedures also included testing the\noperating effectiveness of those controls that we consider necessary to provide reasonable\nassurance that the related control objectives stated in the description were achieved. An\nexamination engagement of this type also includes evaluating the overall presentation of the\ndescription and the suitability of the control objectives stated therein, and the suitability of the\ncriteria specified by the service organization and described in management\xe2\x80\x99s assertion in Section\nII of this report. We believe that the evidence we obtained is sufficient and appropriate to provide\na reasonable basis for our opinion.\n\n\nInherent limitations\nBecause of their nature, controls at a service organization may not prevent, or detect and correct,\nall errors or omissions in processing or reporting transactions. Also, the projection to the future\nof any evaluation of the fairness of the presentation of the description, or conclusions about the\nsuitability of the design or operating effectiveness of the controls to achieve the related control\nobjectives is subject to the risk that controls at a service organization may become inadequate or\nfail.\n\n\n\n\n                                                 3\n\x0cOpinion\nIn our opinion, in all material respects, based on the criteria described in ARC\xe2\x80\x99s assertion, (1) the\ndescription fairly presents the financial management services that were designed and\nimplemented throughout the period July 1, 2012 to June 30, 2013, (2) the controls related to the\ncontrol objectives stated in the description were suitably designed to provide reasonable\nassurance that the control objectives would be achieved if the controls operated effectively\nthroughout the period July 1, 2012 to June 30, 2013, and Customer Agencies applied the\ncomplementary Customer Agency controls and sub-service organizations applied the controls\ncontemplated in the design of ARC\xe2\x80\x99s controls throughout the period July 1, 2012 to June 30,\n2013, and (3) the controls tested, which together with the complementary Customer Agency\ncontrols and sub-service organizations\xe2\x80\x99 controls referred to in the scope paragraph of this report,\nif operating effectively, were those necessary to provide reasonable assurance that the control\nobjectives stated in the description in Section IV were achieved, operated effectively throughout\nthe period July 1, 2012 to June 30, 2013.\n\n\nDescription of tests of controls\nThe specific controls and the nature, timing, extent, and results of the tests are listed in Section\nIV.\n\n\nRestricted use\nThis report, including the description of tests of controls and results thereof in Section IV, is\nintended solely for the information and use of the management of ARC, Customer Agencies of\nARC\xe2\x80\x99s financial management services during some or all of the period July 1, 2012 to June 30,\n2013, the U.S. Department of the Treasury Office of Inspector General, the Office of\nManagement and Budget, the Government Accountability Office, the U.S. Congress, and the\nIndependent Auditors of ARC\xe2\x80\x99s Customer Agencies, who have a sufficient understanding to\nconsider it, along with other information including information about controls implemented by\nCustomer Agencies themselves, when assessing the risks of material misstatements of Customer\nAgencies\xe2\x80\x99 financial statements. This report is not intended to be and should not be used by\nanyone other than these specified parties.\n\n\n\nAugust 22, 2013\nMcLean, Virginia\n\n\n\n\n                                                 4\n\x0cII. MANAGEMENT\xe2\x80\x99S ASSERTION\n\n\n\n\n           5\n\x0c                    Administrative Resource Center's Assertion\n                                  August 22, 2013\n\n\nWe have prepared the description of the Administrative Resource Center 's (ARC)\naccounting and procurement processing, and general computer controls used for\nprocessing (financial management services) for user entities of the system during\nsome or all of the period July 1, 2012 to June 30, 2013, and their user auditors who\nhave a sufficient understanding to consider the description, along with other\ninformation, including information about controls operated by user entities of the\nsystem themselves, when obtaining an understanding of user entities' information and\ncommunication systems relevant to financial reporting. We confirm, to the best of our\nknowledge and belief, that:\n\na.     The accompanying description in Sections III and IV, fairly presents the ARC\n       system made available to user entities of the system during some or all of the\n       July 1, 2012 to June 30, 2013 for processing their transactions in the ARC\n       financial management systems.\n\n       ARC uses a number of different sub-service organizations for certain transaction\n       processing:\n\n           Sub-Service Organization                       Description of Services\n     Treasury                                 Central Accounting and Reporting\n                                              System (CARS) provides reports and\n                                              information of Customer Agencies\n                                              Fund Balance with Treasury.\n\n                                              Secure Payment System (SPS) provides\n                                              invoice processing.\n\n                                              Internet Payment Platform (IPP) is\n                                              used to route invoices for approval and\n                                              payment.\n\n                                              Collections Information Repository\n                                              (CIR), CARS, and Intra-governmental\n                                              Payment and Collection (IPACS) is\n                                              used for Statement of Transactions\n                                              activity.\n\n                                              TGANet and OTCnet is used to process\n                                              checks for deposit.\n\n\n\n\n                                              6\n\x0c       Sub-Service Organization                      Description of Services\n                                         FACTS I and FACTS II is used by\n                                         customer agencies for reporting and\n                                         producing financial statements.\n\n                                         FedInvest is used to purchase and\n                                         redeem Government Account Series\n                                         securities.\n\n                                         Treasury Information Executive Repository\n                                         (TIER) and Financial Analysis Reporting\n                                         System (FARS) is used for producing\n                                         Treasury and Department of Homeland\n                                         Security financial statements.\n\nThird Party Payroll Service Providers    Processing of payroll transactions\nNorthrop Grumman Mission Systems         Processing of travel related transactions\nGeneral Services Administration          Used for procurement transactions\nOracle Corporation                       Provides hosting services Oracle and PRISM\n\nThe description in Sections III and IV includes only the controls and related control\nobjectives of ARC and excludes the control objectives and related controls of the\nservices listed above from the respective service organizations. The criteria we used\nin making this assertion were that the accompanying description:\n\n  i.    Presents how the systems made available to user entities of the system was\n        designed and implemented to process relevant transactions, including:\n        1. The types of services provided, including, as appropriate, the\n            classes of transactions processed;\n        2. The procedures, within both automated and manual systems, by\n            which those transactions were initiated, authorized, recorded,\n            processed, corrected as necessary, and transferred to the reports\n            prepared for user entities;\n        3. The related accounting records, supporting information, and\n            specific accounts that were used to initiate, authorize, record,\n            process, and report transactions; this includes the correction of\n            incorrect information and how information was transferred to\n            the reports prepared for user entities;\n        4. How the systems captured and addressed significant events and\n            conditions, other than transactions;\n        5. The process used to prepare reports or other information for user\n            entities;\n        6. Specified control objectives and controls designed to achieve\n            those objectives;\n        7. Controls that we assumed, in the design of the system, would be\n            implemented by user entities, and which, if necessary to achieve\n            control objectives stated in the accompanying description, are\n\n\n                                         7\n\x0c                   identified in the description along with the specific control\n                   objectives that cannot be achieved solely by controls\n                   implemented by us; and\n                8. Other aspects of our control environment, risk assessment\n                   process, information and communication systems (including the\n                   related business processes), control activities, and monitoring\n                   controls that are relevant to processing and reporting\n                   transactions of user entities transactions.\n\n       ii.      Does not omit or distort information relevant to the scope of the Administrative\n                Systems\n\n                being described, while acknowledging that the description was prepared to\n                meet the common needs of a broad range of user entities and their independent\n                auditors and may not, therefore, include every aspect of the Administrative\n                Systems that each individual user entity may consider important in its own\n                particular environment.\n\nb.          The description includes relevant details of changes to ARC's systems during the\n            period covered by the descriptions.\n\nc.          The controls related to the control objectives stated in the description were suitably\n            designed and operated effectively throughout the period July 1, 2012 to June 30, 2013\n            to achieve those control objectives. The criteria we used in making this assertion were\n            that\n\n       i.       The risks that threatened achievement of the control objectives stated in the\n                description were identified;\n     ii.        The identified controls would, if operated as described, provide reasonable\n                assurance that those risks did not prevent the stated control objectives from being\n                achieved;\n     iii.       The controls were consistently applied as designed, including whether manual\n                controls were applied by individuals who have the appropriate competence and\n                authority; and\n     iv.        Sub-service organizations applied the controls contemplated in the design of\n                ARC\xe2\x80\x99s controls\n\n                                                    Sincerely,\n\n\n\n                                                    Douglas Anderson, Assistant Commissioner\n                                                    Administrative Resource Center\n\n\n\n\n                                                   8\n\x0cIII. DESCRIPTION OF CONTROLS PROVIDED BY THE\n         ADMINISTRATIVE RESOURCE CENTER\n\n\n\n\n                    9\n\x0cOVERVIEW OF OPERATIONS\n\nThe Administrative Resource Center (ARC) is now a component of the Fiscal Service, which was\ncreated on October 7, 2012 as a result of the consolidation of two Treasury bureaus, the Financial\nManagement Service (FMS) and the Bureau of the Public Debt (BPD). Fiscal Service\xe2\x80\x99s ARC has\nbeen a member of the Treasury Franchise Fund (TFF) since August 1998. The TFF was\nestablished by P.L. 104-208 and was made permanent by P.L. 108-447. ARC provides\nadministrative support services on a competitive, fee-for-service, and full-cost basis. ARC\xe2\x80\x99s\nmission is to aid in improving overall government effectiveness by delivering responsive and cost\neffective administrative support to its Customer Agencies; thereby, improving their ability to\neffectively discharge their mission.\n\nAs of June 30, 2013, ARC provided financial management services to approximately 50\nCustomer Agencies. Financial management services include accounting, budgeting, reporting,\ntravel, procurement and systems support and platform services. The ARC divisions, branches and\nthe financial management services that they provide are:\n\nAccounting Services Division (ASD)                Services Provided\nAccounting Services Branch 1 (ASB1)               Accounting Services\n                                                  Reporting Services\n\nAccounting Services Branch 2 (ASB2)               Accounting Services\n                                                  Reporting Services\n\nAccounting Services Branch 3 (ASB3)               Accounting Services\n                                                  Reporting Services\n                                                  Budget Services\n\nAccounting Services Branch 4 (ASB4)               Accounting Services\n                                                  Reporting Services\n\nAccounting Services Branch 5 (ASB5)               Document Processing\n                                                  Reporting Services\n\n\n\nAccounts Payable Branch (APB)                     Document Processing\n\nCentral Accounting Branch (CAB)                   Supplier Table Update and Maintenance\n                                                  Record and Reconcile Payroll\n                                                  1099 Reporting\n                                                  Purchase Card Processing\n\nProgram Support Branch (PSB)                      Deposit Services\n                                                  SPS Operations\n\n\n\n\n                                               10              Description of Controls Provided\n                                                                           by the Fiscal Service\n\x0cTravel Services Division (TSD)                  Services Provided\nTemporary Duty Services Branch (TDSB)           Operate/Maintain GovTrip\n                                                Provide GovTrip Training Services\n                                                Document Processing\n                                                Transaction Processing\n\n\nRelocation Services Branch (RSB)                Operate/Maintain moveLINQ\n                                                Record and process relocations\n                                                Tax Reporting\n\n\nBusiness Technology Division (BTD)              Services Provided\nCustomer Service Branch (CSB)                   Provide Financial Management System\n                                                Support/Training\n\nQuality Control Branch (QCB)                    Operate/Maintain Financial Management\n                                                Systems\n\nProject and Technical Services Branch (PTSB)    Application Development/Analysis/Project\n                                                Management\n\n\nHuman Resources Operations Division             Services Provided\n(HROD)\nPay and Leave Services Branch (PLSB)            Administer webTA System User Access\n\n\nDivision of Procurement Services (DPS)          Services Provided\nProcurement Services Branch 1 (PSB1)            Acquisition Services\n\nContract Administration Branch                  Acquisition Services\n\nProcurement Services Branch 3 (PSB3)            Acquisition Services\n\n\n\n\n                                               11            Description of Controls Provided\n                                                                         by the Fiscal Service\n\x0cARC Organizational Chart\n\n\n\n\n          12               Description of Controls Provided\n                                       by the Fiscal Service\n\x0cAccounting Services (provided by the Accounting Services Division)\nAccounting Services consists of the following:\n   \xe2\x80\xa2 Recording financial transactions in Oracle Federal Financials (Oracle), including\n       appropriation, apportionment, allocations, revenue agreements, accounts receivable,\n       collections, commitments, obligations, accruals, accounts payable, disbursements, and\n       journal entries.\n   \xe2\x80\xa2 Examining and processing vendor and other employee payments.\n   \xe2\x80\xa2 Examining and processing revenue and other collections.\n\nTo maximize efficiencies and enhance Customer satisfaction, ARC has developed financial\nmanagement service guidelines for Customer Agencies. The guidelines are available to\ncustomers via ARC\xe2\x80\x99s customer websites. The guidelines provide accounting service overviews,\nlinks to regulations and data submission requirements for the various types of services and\naccounting transactions that ARC processes.\n\nPrior to providing accounting services to Customer Agencies, ARC meets with them to learn and\nunderstand the authorizing legislation and mission. This enables ARC to assist them in defining\ntheir accounting needs and to ensure that the accounting services provided comply with\napplicable regulations and are able to meet their internal and external reporting needs.\n\nARC\xe2\x80\x99s automated accounting systems provide for budgeting and funds control at various\norganizational and spending levels. The levels used are established based on the Customer\nAgency\xe2\x80\x99s authorizing legislation, apportionment level, or their request to control at a lower level\nthan required by law.\n\nARC offers commitment accounting to Customer Agencies to better enable them to monitor and\ncontrol their funds availability. When applicable, ARC sets aside funds that are available for\nobligation based on an approved purchase requisition (PR). In the event that the actual order\namount is greater than the approved purchase request amount, a modification to the PR is\nrequired unless overage tolerances have been pre-approved by the customer agency.\n\nARC records obligations based on fully executed purchase orders, contracts, training orders or\ninteragency agreements. Recording the obligations in the accounting system sets aside funds to\nensure that funds are available to pay for the goods or services when provided and billed by\nsuppliers. All obligations must be approved for funds availability prior to issuance. This is\ngenerally done through processing a PR, but is the responsibility of the Customer Agency if they\nelect not to have commitment accounting services. In the event that the invoice amount is greater\nthan the obligated amount, a modification is required unless overage tolerances have been pre-\napproved by the Customer Agency.\n\nCustomer Agencies are required to notify ARC when goods/services have been received but not\ninvoiced by the supplier at the end of a reporting period. Based on the information received,\nARC records expense accruals in the accounting system. The notification process is established\nat the Customer Agency level and can include submitting receiving reports or schedules that\ndetail the items to be accrued.\n\nARC processes and/or records all Customer Agency disbursements. These include supplier\ninvoices, purchase card payments, Intra-governmental Payment and Collection (IPAC)\ntransactions, employee travel reimbursements, and employee payroll.\n\n\n                                              13                 Description of Controls Provided\n                                                                             by the Fiscal Service\n\x0cThe preferred approach for payment of qualifying supplier goods/services is the government\xe2\x80\x99s\npurchase card program. Customer Agencies are encouraged to obtain and use a government\npurchase card to the greatest extent possible and they are encouraged to participate in ARC's\npurchase card program and use Citibank's CitiDirect system. CitiDirect allows Customer Agency\ncardholders and approving officials to electronically reconcile, route, approve, and submit the\npurchase card statement to ARC for payment.\n\nGenerally, ARC Customer Agencies use three methods of receiving and monitoring the status of\nsupplier invoices. The preferred method, due to efficiencies in processing and approvals from\nelectronic workflow, requires that supplier invoices be submitted via the Invoice Processing\nPlatform (IPP). The vendor submits\xe2\x80\x99 their invoice through IPP and the invoice is routed to the\ninvoice approver designated on the purchase order. The second method occurs when invoices\nare submitted directly to ARC, ARC has controls that ensure that all invoices are logged with the\ndate received, are forwarded to the Customer Agency staff designated on the obligating document\nfor review and approval, and are monitored to ensure that invoices are returned to ARC for\nprocessing in accordance with the Prompt Payment Act. The third method (under unique\ncircumstances) requires that supplier invoices be sent directly to the Customer Agency. When\nusing this method, the Customer Agency is required to establish controls to ensure that all\ninvoices are stamped with the date received, reviewed, certified by the staff member designated\non the obligation document, and submitted to ARC for processing in accordance with the Prompt\nPayment Act.\n\nAll invoices are examined by ARC and Customer Agency staff to ensure that they are proper, as\ndefined by the Prompt Payment Act. In addition, invoices are matched to the obligating\ndocuments and receiving reports (when applicable) and are certified by invoice approvers. If\nreceiving reports are not submitted, the invoice approver certifies that the invoice is in accordance\nwith the terms of the order, and provides the dates the goods/services were received and accepted.\n\nAfter the invoice approver certifies the invoice, it is submitted to ARC to process the payment to\nthe supplier. The Customer Agency is responsible for ensuring that invoices are submitted in\ntime to receive discounts, if applicable, and to pay the invoice prior to the Prompt Payment Act\ndue date. Upon receipt, ARC reviews the invoice for proper certification, accuracy and\ncompleteness and either schedules the payment in accordance with the terms of the order, the\nPrompt Pay Act and Electronic Funds Transfer (EFT) Rules or returns the invoice to the customer\nfor clarification or additional information.\n\nARC transmits EFT and check payment files to the U.S. Department of the Treasury using\nTreasury\xe2\x80\x99s Secure Payment System (SPS). In addition, ARC processes most intra-governmental\npayments using Treasury\xe2\x80\x99s IPAC system. ARC obtains Customer Agency approval prior to\ninitiating an IPAC payment to another federal agency. ARC also monitors IPAC activity initiated\nagainst the Customer Agency by another federal agency and forwards all IPAC payments to the\nappropriate certifying official for approval. ARC records all IPAC payments in the accounting\nperiod the IPAC was accomplished.\n\nThird-party payroll processors provide ARC with a file of payroll data at least bi-weekly (weekly\nif payroll adjustment files are applicable) to interface into the accounting system. ARC\nreconciles all payroll transactions recorded to disbursements reported by the third-party\nprocessor. ARC records payroll accruals on a monthly basis and reverses the accrual in the\nsubsequent accounting period. The payroll accrual is a prorated calculation performed by the\naccounting system that is based on the most recent payroll disbursement data available.\n\n                                               14                 Description of Controls Provided\n                                                                              by the Fiscal Service\n\x0cARC processes revenue and collection related transactions (i.e., unfilled customer orders,\nreceivables, and cash receipts) with Customer Agency approval. Customer Agencies either\nforward to ARC approved source documents or a summary of their transactions. ARC records\nIPAC transactions in the period in which they are processed in Fiscal Service\xe2\x80\x99s IPAC System.\nCheck deposits are made by ARC or the Customer Agency. When checks are deposited by\ncustomers, the Standard Form (SF) 215 deposit ticket is forwarded to ARC. In addition, all\ndeposits require the Customer Agencies to provide the accounting information necessary to\nrecord the cash receipt.\n\nARC records proprietary and budgetary accounting entries using the United States Standard\nGeneral Ledger (USSGL) and Treasury approved budget object codes at the transaction level. In\naddition, ARC reconciles general ledger accounts to ensure transactions are posted to the\nappropriate accounts.\n\nARC utilizes Autonomy, a software application managed by Fiscal Service\xe2\x80\x99s Office of\nManagement Services\xe2\x80\x99 (OMS), Administrative Support Branch (ASB), to store hardcopy and\nelectronic data records. Autonomy stores the metadata of the hardcopy document, but the digital\ndocument is stored on the storage area network (SAN) to allow access to users of the document.\nARC generates labels, which are printed and placed on boxes that are to be stored in Fiscal\nService's warehouse. The information recorded on the label is entered into Autonomy so that the\nboxes can subsequently be requested by ARC personnel, as they are needed. Once the data is\nrecorded in Autonomy, Fiscal Service warehouse personnel either pick up the box to be placed in\nstorage or return the box to ARC, as applicable.\n\nARC works with Customer Agencies to develop and implement processes to ensure the accuracy\nof their accounting information. This includes reviewing open commitment, obligation, expense\naccrual, customer agreement, and open billing document reports for completeness, accuracy, and\nvalidity. This review is conducted by Customer Agencies or ARC staff no less frequently than\nquarterly. Based on the review, a determination is made on the action(s) needed to adjust or\nremove any invalid items in ARC\xe2\x80\x99s accounting records.\n\nBudget Services (provided by Accounting Services)\nARC enters the Customer Agency\xe2\x80\x99s budget authority in the accounting system based on the\nsupporting documentation, which may include enacted legislation, anticipated resources, Treasury\nwarrants or transfer documents, an Apportionment and Reapportionment Schedule (SF 132), the\nCustomer Agency\xe2\x80\x99s budget plan or recorded reimbursable activity. The budget process makes\nfunds available for commitment, obligation, and/or expenditure, and with controls in place, the\nautomated accounting system checks for sufficient funds in the Customer Agency\xe2\x80\x99s budget at the\nspecified control levels.\n\nReporting Services (provided by Accounting Services)\nARC performs all required external reporting for Customer Agencies, including the following\nreports: Statement of Transactions (Formerly FMS 224), FACTS I, FACTS II, Report on\nReceivables, Treasury Information Executive Repository (TIER), and quarterly and year-end\nfinancial statements. In addition, ARC has created a standard suite of management reports that\nare available to all Customer Agencies. ARC reconciles certain general ledger accounts on a\nmonthly basis and ensures that proprietary and budgetary general ledger account relationships are\nmaintained and accurate.\n\n\n\n                                             15                Description of Controls Provided\n                                                                           by the Fiscal Service\n\x0cTemporary Duty Travel Services (provided by the Travel Services Division)\nTravel Services consist of the following:\n     \xe2\x80\xa2 Operating and maintaining the E-Gov Travel system (GovTrip) in compliance with the\n         Federal Travel Regulations (FTR) for all ARC Customer Agencies\n     \xe2\x80\xa2 Researching and implementing the FTR and Agency/Bureau travel policies\n     \xe2\x80\xa2 System Administration\n     \xe2\x80\xa2 Providing customer service and training to system users\n     \xe2\x80\xa2 Evaluating, recommending, and implementing approved changes to existing systems\n         and/or new systems, including working with the E-Gov Travel vendor and the General\n         Services Administration (GSA) on system enhancements and deficiencies\n    \xe2\x80\xa2 Processing employee reimbursements via interface to Oracle\nTravel documents (authorizations and vouchers) and miscellaneous employee reimbursements are\nentered by Customer Agencies into GovTrip and are electronically routed to an Approving\nOfficial for review and approval. The Approving Official electronically signs the documents with\na status of \xe2\x80\x9capproved.\xe2\x80\x9d All \xe2\x80\x9capproved\xe2\x80\x9d documents are interfaced and reconciled to Oracle daily.\nGovTrip contains system audits that prohibit documents that do not meet certain Federal Travel\nRegulations or do not contain the required accounting information from being approved and\ntherefore will not interface to Oracle.\n\n\nRelocation Services (provided by Travel Services Division)\nRelocation Services consist of the following:\n   \xe2\x80\xa2 Operating and maintaining moveLINQ, a government relocation expense management\n        system in compliance with the Federal Travel Regulations (FTR), Department of State\n        Standardized Regulations (DSSR), and Joint Federal Travel Regulations (JFTR) to record\n        and process Permanent Change of Station (PCS), Temporary Change of Station (TCS)\n        and other types of non TDY moves, examples are Home Leave, Evacuation, Medical\n        Evacuation, Rest and Recuperation and Education Travel for Customer Agencies\n   \xe2\x80\xa2 Researching and implementing relocation regulations and Agency/Bureau relocation\n        travel policies\n   \xe2\x80\xa2 System Administration\n   \xe2\x80\xa2 Providing customer service\n   \xe2\x80\xa2 Providing system support and training to internal users\n   \xe2\x80\xa2 Evaluating, recommending, and implementing approved changes to the existing system,\n        including working with the moveLINQ vendor, mLINQS, on system enhancements and\n        deficiencies\n   \xe2\x80\xa2 Processing relocations through the moveLINQ system\n   \xe2\x80\xa2 Processing obligations and disbursements via interface to Oracle\n   \xe2\x80\xa2 Tax Reporting\n\nRelocation travel documents (authorizations, amendments, advances, and vouchers) are entered\nby ARC into moveLINQ. Prior to being submitted in moveLINQ, the vouchers are reviewed for\naccuracy by a second ARC employee. Completed documents are faxed or digitally scanned and\ne-mailed to the traveler and/or approving official for review and approval, as appropriate. For\ncustomers that we process payments, approved documents are interfaced and reconciled to Oracle\ndaily.\n\n\n\n\n                                             16                Description of Controls Provided\n                                                                           by the Fiscal Service\n\x0cProcurement Services (provided by the Division of Procurement Services)\nProcurement Services consist of the following:\n    \xe2\x80\xa2 Awarding contracts and purchase orders in accordance with Federal Acquisition\n       Regulations, Treasury Acquisition Regulations and, Customer Agencies Regulations as\n       applicable\n    \xe2\x80\xa2 Contract administration\n    \xe2\x80\xa2 Purchase Card Administration\n\nRequests for procurement actions are initiated by customers through requisitions. The\nrequisitions contain a performance work statement or requirements document, estimated dollar\namount for the goods or service, validation that funds are available and approval from an\nauthorized official. Requisitions may be sent electronically through PRISM or manually.\n\nUpon receipt of a completed requisition, ARC procurement personnel will develop an acquisition\nstrategy based upon the item or service being purchased and the expected dollar amount of the\npurchase. Using information from the requisition, ARC personnel will develop and publicize the\nsolicitation requesting proposals. ARC personnel will conduct the evaluation of the proposals\nwith technical team of experts from our Customer Agencies. With input from the technical team,\nan ARC contracting officer will select the vendor that best meets the customer\xe2\x80\x99s requirements.\n\nFollowing award of the contract, ARC personnel will provide contract administration services.\nThis includes executing approved and authorized contract modification, resolving issues that arise\nduring the life of the contract, monitoring delivery schedules and closing out the contract at\ncompletion.\n\nSystem Platform Services (provided by the Business Technology Division)\nARC maintains system support staff that provide customer services and training activities.\nCustomer support is provided via phone or e-mail. ARC maintains a training course curriculum\nthat is generally provided in a hands-on classroom environment.\n\nARC performs all system access activities in accordance with established procedures for granting,\nchanging, and removing user access. Included in these procedures are independent reviews of\nsystem access activity and user inactivity.\n\nARC performs all system change activities in accordance with established procedures for\nevaluating, authorizing, and implementing. To this end, ARC maintains responsibility for System\nIntegration Testing, providing customers an opportunity to perform User Acceptance Testing, and\napproving production changes.\n\n\n\n\n                                              17                Description of Controls Provided\n                                                                            by the Fiscal Service\n\x0cRELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK\nASSESSMENT, AND MONITORING\n\nControl Environment\n\nARC Financial Management Service operations are under the direction of the Assistant\nCommissioner of the Office of Administrative Services (OAS). ARC\xe2\x80\x99s mission is to aid in\nimproving overall government effectiveness by delivering responsive and cost effective\nadministrative support to its Customer Agencies; thereby, improving their ability to effectively\ndischarge their mission.\n\nARC employees and contractors working at ARC are responsible for processing and reporting\naccounting activity, providing system support and development services, procurement, and travel\nservices for its Customer Agencies. ARC holds management meetings on a regular basis to\ndiscuss special processing requests, operational performance, and the development and\nmaintenance of projects in process. Written position descriptions for employees are maintained.\nThe descriptions are inspected and revised as necessary.\n\nReferences are sought and background, credit, and security checks are conducted for all Fiscal\nService personnel when they are hired. Additional background, credit, and security checks are\nperformed every three to five years. The confidentiality of user-organization information is\nstressed during the new employee orientation program and is emphasized in the personnel manual\nissued to each employee. Fiscal Service provides a mandatory orientation program to all full time\nemployees and encourages employees to attend other formal outside training. Training available\nto Fiscal Service employees with related work responsibilities includes, but is not limited to:\nPrompt Pay and Voucher Examination, Appropriation Law, Federal Acquisition Regulations,\nFederal Travel Regulations, Reconciling with and Reporting to Treasury, Dollars & Sense,\nFederal Accounting Fundamentals, USSGL Practical Applications, Budgeting and Accounting \xe2\x80\x93\nMaking the Connection and Computer Security Training Awareness.\n\nAll Fiscal Service employees receive an annual written performance evaluation and salary\nreview. These reviews are based on goals and objectives that are established and reviewed during\nmeetings between the employee and the employee\xe2\x80\x99s supervisor. Completed appraisals are\nreviewed by senior management and become a permanent part of the employee\xe2\x80\x99s personnel file.\n\nRisk Assessment\n\nFiscal Service has placed into operation a risk assessment process to identify and manage risks\nthat could affect ARC\xe2\x80\x99s ability to provide reliable accounting and reporting, system platform and\ntravel services for Customer Agencies. This process requires management to identify significant\nrisks in their areas of responsibility and to implement appropriate measures and controls to\nmanage these risks.\n\nMonitoring\n\nFiscal Service management and supervisory personnel monitor the quality of internal control\nperformance as a normal part of their activities. Management and supervisory personnel inquire\nof staff and/or review data to ensure that transactions are processed within an effective internal\ncontrol environment. An example of a key monitoring control is that ASD Accounting Services\nBranch Managers and/or Supervisors review reconciliations from Oracle sub ledgers to the\n\n\n                                              18                Description of Controls Provided\n                                                                            by the Fiscal Service\n\x0crelated general ledger accounts. ASD prepares budgetary to proprietary account relationship\nreconciliations on a monthly basis. In addition, ASD prepares and reconciles the FACTS II\nsubmitted reports to the trial balance and statement of budgetary resources each time the FACTS\nII file is submitted. ARC also uses the results of the annual Statements on Standards for\nAttestation Engagements (SSAE 16) examination as a tool for identifying opportunities to\nstrengthen controls.\n\n\n\n\n                                            19                Description of Controls Provided\n                                                                          by the Fiscal Service\n\x0cINFORMATION AND COMMUNICATION\n\nInformation Systems\n\nOracle Federal Financials (Oracle)\nOracle on Demand operates Oracle versions 11 and R12, Oracle 11g database in a Linux\noperating system environment. Oracle uses a two-tier web-based infrastructure with a front-end\nInternet user interface and a database residing on the secure network. The application accesses\nthe database IP to IP on a specified port that was defined in the Access Control List. Only select\nInternet Protocol (IP) addresses that are defined in the Access Control List are permitted to\nconnect to the database IP. Internet access is via a 128-bit Secure Sockets Layer (SSL) encrypted\nconnection. The application is compliant with Section 508 of the Rehabilitation Act Amendment\nfor 1998 for Americans with Disabilities (ADA). Functions of Oracle include budget execution,\ngeneral ledger, purchasing, accounts payable, accounts receivable, project accounting, fixed\nassets, and manufacturing. ARC also uses a report writer package called Discoverer that provides\nusers with the ability to create their own ad hoc reports for query purposes.\n\nProcurement Request Information System Management (PRISM)\nOracle on Demand operates PRISM version 7.1, on Windows Server 2003 operating system and\nOracle 11g database in a Linux operating system environment. PRISM uses a two-tier web-based\ninfrastructure with a front-end Internet user interface using Windows as its operating system and\na database residing on the secure Oracle on Demand network. The application accesses the\ndatabase on a specified port that is defined in the Access Control List. Only select Internet\nProtocol (IP) addresses that are defined in the Access Control List are permitted to connect to the\ndatabase IP. Internet access is via a 128-bit SSL encrypted connection. Transactions entered\nthrough PRISM interface real-time with Oracle.\n\nInvoice Processing Platform (IPP)\nARC uses the Fiscal Service\xe2\x80\x99s IPP electronic invoice processing solution (mandated for all\nTreasury Bureaus by the Department of Treasury). IPP is a web-based electronic invoicing and\npayment information system that is hosted by the Federal Reserve Bank of Boston. Purchase\norders are interfaced from Oracle to IPP. Invoices are submitted in IPP by either the vendor or\nARC personnel and are routed to the customer for approval. Upon approval, the invoice\ninterfaces from IPP to Oracle and the invoice is scheduled for payment. Remittance information\nthen interfaces from one of three Regional Finance Centers (RFC), Treasury Fiscal Management\nService processing centers that provide payment services for federal agency sites. IPP users\nconsist of invoice approvers, viewers and administrators.\n\nwebTA\nARC uses Kronos\xe2\x80\x99 webTA as its time and attendance system for most of its Customer Agencies\nwhose payroll is processed by the NFC. Transactions that are entered in webTA interface with\nNFC, and NFC ultimately sends payroll data back to ARC for an interface into Oracle.\n\nARC operates webTA version 3.8.15 on Windows Server 2003. webTA uses the Oracle 11g\ndatabase, which runs on the ARC subnet and accesses data in the ARC DMZ using Linux AS 2.1\nas its operating system. Information and Security Services (ISS) serves as the webTA database\nadministrator and provides primary support for tape backup and recovery. webTA uses a two-tier\nweb-based infrastructure with a front-end Internet user interface and a database residing on the\nsecure network. The application (web-applet) accesses the database on a specified port that is\ndefined in the Access Control List. Only select IP addresses that are defined in the Access\nControl List are permitted to connect to the database IP. External Internet access is via 128-bit\n\n                                              20                 Description of Controls Provided\n                                                                             by the Fiscal Service\n\x0cencrypted connection. External security is provided by ISS through firewall rules and router\naccess control lists.\n\nGovTrip\nARC uses Northrop Grumman Mission System\xe2\x80\x99s (NGMS\xe2\x80\x99s) GovTrip travel system (system\nselected by the U.S. Department of the Treasury as its E-Gov Travel solution). NGMS developed\nand hosts GovTrip. GovTrip is a web-based, self-service travel system that incorporates\ntraditional reservation and fulfillment support and a fully-automated booking process. GovTrip\nuses system processes and audits to ensure compliance to the FTR and/or Agency policy.\nGovTrip is used to prepare, examine, route, approve, and record travel authorizations and\nvouchers. It is used to process all temporary duty location (TDY) authorizations, vouchers, local\nvouchers and miscellaneous employee reimbursements. Approved documents interface to Oracle\nfor obligation or payment during a daily batch process. GovTrip users consist of travelers,\ndocument preparers, budget reviewers, approving officials and administrators.\n\nmoveLINQ\nARC uses mLINQS relocation expense management system, moveLINQ, to meet their relocation\nmanagement program, payment system and reporting requirements. moveLINQ is an E-Gov\nTravel Services and Federal Travel Regulations, Chapter 302 compliant web-based system that\nautomates relocation expense management processes, policy and entitlement for both domestic\nmoves and international relocations. The application is used for household goods shipment and\nstorage arrangements, employee travel arrangements, third party real estate payments and\nrelocation tax administration, including W-2 preparation. Approved documents interface to\nOracle for obligation or payment during a daily scheduled batch process.     moveLINQ users\nconsist of authorized TSD personnel. ISS hosts the moveLINQ system and serves as the\nMicrosoft SQL database administrator and provides primary support for tape backup and\nrecovery.\n\nPRISM, IPP, GovTrip, moveLINQ, and E-Payroll to Oracle Reporting (EOR) are feeder systems\nthat interface with Oracle. Oracle on Demand hosts Oracle, PRISM and EOR, Northrop\nGrumman hosts GovTrip, the Federal Reserve Bank of Boston hosts IPP, and ARC hosts\nmoveLINQ. ARC performs application administration for all feeder systems.\n\nCommunication\n\nFiscal Service has implemented various methods of communication to ensure that all employees\nunderstand their individual roles and responsibilities over processing transactions and controls.\nThese methods include orientation and training programs for newly hired employees, and use of\nelectronic mail messages to communicate time sensitive messages and information. Managers\nalso hold periodic staff meetings as appropriate. Every employee has a written position\ndescription that includes the responsibility to communicate significant issues and exceptions to an\nappropriate higher level within the organization in a timely manner. Managers also make an\neffort to address continuing education needs of all employees by identifying training\nopportunities made available through Fiscal Service\xe2\x80\x99s employee training and career development\nprograms, internal training classes, and professional conferences.\n\n\n\n\n                                              21                 Description of Controls Provided\n                                                                             by the Fiscal Service\n\x0cCOMPLEMENTARY CUSTOMER AGENCY CONTROLS\n\nThe Fiscal Service\xe2\x80\x99s processing of transactions and the controls over the processing were\ndesigned with the assumption that certain controls would be placed in operation by Customer\nAgencies for the control objectives to be achieved. This section describes some of the controls\nthat should be in operation at Customer Agencies to complement the controls at Fiscal Service.\nCustomer Agency auditors should determine whether user Customer Agencies have established\ncontrols to provide reasonable assurance to:\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Send approved requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation and accrual reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Approve and return relocation travel authorizations to Relocation Services Branch (RSB) for\n    processing in moveLINQ in a timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Compare actual spending results to budgeted amounts.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that disbursement transactions are\n    complete and accurate.\n\xe2\x80\xa2   Approve invoices for payment and send approved invoices to ARC in a timely manner.\n\xe2\x80\xa2   Ensure that invoices properly reflect the invoice receipt date and formal or constructive\n    acceptance date according to the Prompt Payment Act.\n\xe2\x80\xa2   Approve travel vouchers and accurately enter the vouchers into GovTrip in the proper period.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to approve invoices and\n    travel vouchers when it is not communicated in the authorizing agreement.\n\xe2\x80\xa2   Send approved and accurate documentation of unfilled customer orders, receivables, and cash\n    receipts transactions to ARC in the proper period.\n\xe2\x80\xa2   Review unfilled customer orders, receivable and advance reports for completeness, accuracy,\n    and validity.\n\xe2\x80\xa2   Monitor and pursue collection of delinquent balances.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll accruals are complete\n    and accurate.\n\xe2\x80\xa2   Verify that payroll processed by third-party providers is complete and accurate.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll disbursements are\n    complete and accurate.\n\xe2\x80\xa2   Approve and send revenue and expense accruals to ARC in a timely manner.\n\xe2\x80\xa2   Review and approve, prior to submission, the financial reports prepared by ARC to ensure\n    that all reports prepared for external use are complete, accurate, and submitted in a timely\n    manner.\n\n                                              22                 Description of Controls Provided\n                                                                             by the Fiscal Service\n\x0c\xe2\x80\xa2   Review open obligation and accrual reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Provide certification of FACTS II to ARC prior to ARC\xe2\x80\x99s FACTS II system certification.\n\xe2\x80\xa2   Send approved budget plans to ARC in a timely manner.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that budget entries are complete and\n    accurate.\n\xe2\x80\xa2   Communicate OMB apportionment status to ARC.\n\xe2\x80\xa2   Monitor usage of budget authority during periods of operation under a Continuing Resolution\n    to ensure that OMB directed apportionment limits are not exceeded.\n\xe2\x80\xa2   Send valid and approved requests to record manual journal entries to ARC in a timely\n    manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to submit manual journal\n    entries that are initiated by the Customer Agency.\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, IPP, webTA, and GovTrip\n    access to ensure appropriateness.\n\xe2\x80\xa2   Ensure exiting employee timecards are coded \xe2\x80\x9cFinal\xe2\x80\x9d as this will help ensure that HR staff\n    deactivate the employee\xe2\x80\x99s webTA access.\n\n\nSpecific complementary Customer Agency Controls are provided for Control Objectives 1, 2, 3,\n5, 6, 7, 8, 9, 10, 11, 12, and 17, in the Control Objectives, Related Controls, and Tests of\nOperating Effectiveness section of this report.\n\n\n\n\n                                             23                Description of Controls Provided\n                                                                           by the Fiscal Service\n\x0cSUB-SERVICE ORGANIZATIONS\n\nIn order to provide financial management services, ARC relies on systems and services provided\nby other organizations external to Fiscal Service (sub-service organizations). The achievement of\ncontrol objectives depends on whether controls at the sub-service organizations anticipated in the\ndesign of Fiscal Service\xe2\x80\x99s controls were implemented and operating effectively. These sub-\nservice organizations were not subject to examination by KPMG LLP.\n\n\n    Name of Sub-service            Name of System                Function/Responsibilities\n      Organization\n\n\n Fiscal Service                Central Accounting and      Treasury\xe2\x80\x99s Fiscal Service provides\n                               Reporting System            reports to inform agencies of their\n                               (CARS)                      Fund Balance With Treasury and to\n                                                           assist agencies in reconciling their\n                                                           general ledger balances to Fiscal\n                                                           Service balances. ARC uses these\n                                                           reports to perform reconciliations.\n\n                               Secure Payment System       ARC uses SPS to process payments\n                               (SPS)                       for invoices.\n\n                               Invoice Processing          ARC uses IPP to electronically route\n                               Platform (IPP)              invoices for approval and payment.\n\n                               CIR, CARS (Treasury         ARC uses these applications to\n                               Disbursing Offices)         identify differences between cash and\n                               TDO Payments,               disbursements\n                               Intragovernmental\n                               Payment and Collection\n                               transactions (IPACs)\n\n                               FACTS I                     Treasury\xe2\x80\x99s Fiscal Service maintains\n                                                           the FACTS I system. The FACTS I\n                                                           system has edit checks to verify that\n                                                           the submitted USSGL accounts and\n                                                           attributes are valid and have equal\n                                                           debit and credit balances.\n\n\n\n                               FACTS II                    Treasury\xe2\x80\x99s Fiscal Service maintains\n                                                           the FACTS II system. The FACTS II\n                                                           system performs USSGL edit checks\n                                                           and rejects any files that fail the edit\n                                                           checks.\n\n\n                                              24                Description of Controls Provided\n                                                                            by the Fiscal Service\n\x0cName of Sub-service      Name of System        Function/Responsibilities\n  Organization\n\n\n\n                      TGAnet and OTCnet   Treasury General Account Deposit\n                                          Reporting Network (TGAnet) and\n                                          Over The Counter Channel\n                                          Application (OTCnet) enable Federal\n                                          Program Agency (FPA) users to report\n                                          over-the-counter receipts in a secure,\n                                          web-based system. In addition to the\n                                          summary deposit information\n                                          currently required on the paper SF\n                                          215, TGAnet and OTCnet collect sub-\n                                          total accounting information that can\n                                          feed the FPA's administrative\n                                          accounting systems as well as the\n                                          Treasury's central accounting system\n\n\n\n                      FedInvest           Used to purchase and redeem\n                                          Government Account Series (GAS)\n                                          securities; data source for Customer\n                                          Agency federal investment interfaced\n                                          transactions with Oracle.\n\n\n\n\n                                  25           Description of Controls Provided\n                                                           by the Fiscal Service\n\x0c  Name of Sub-service      Name of System              Function/Responsibilities\n    Organization\n\n\nTreasury                Treasury Information     For ARC\xe2\x80\x99s Treasury and the\n                        Executive Repository     Department of Homeland Security\n                        (TIER)                   Customer Agencies, FACTS I and II\n                                                 reporting requirements are met using\n                                                 TIER. TIER is Treasury\xe2\x80\x99s\n                                                 departmental data warehouse that\n                                                 receives monthly uploaded financial\n                                                 accounting and budgetary data from\n                                                 the Treasury and the Department of\n                                                 Homeland Security bureaus and other\n                                                 reporting entities within the\n                                                 Department of the Treasury and the\n                                                 Department of Homeland Security in a\n                                                 standardized format. Data submitted to\n                                                 TIER by an ARC accountant is\n                                                 validated based on system-defined\n                                                 validation checks.\n\n                                                 ARC has customized programs in\n                                                 Oracle that extract the accounting and\n                                                 budgetary data in the required TIER\n                                                 format. TIER has a standardized chart\n                                                 of accounts that is compliant with\n                                                 USSGL guidance issued by the\n                                                 Department of the Treasury. FACTS\n                                                 II edit checks are incorporated in the\n                                                 TIER validation checks. After\n                                                 submitting the adjusted trial balances\n                                                 into TIER, ARC accountants review\n                                                 the edit reports and resolve any invalid\n                                                 attributes or out-of-balance conditions.\n                                                 ARC accountants document this\n                                                 review by completing the TIER\n                                                 Submission Checklist, which is further\n                                                 reviewed by a supervisor.\n\n\n                        Financial Analysis and   Treasury\xe2\x80\x99s FARS produces financial\n                        Reporting System         statements using data bureaus have\n                        (FARS)                   submitted to TIER.\n\n\n\n\n                                      26              Description of Controls Provided\n                                                                  by the Fiscal Service\n\x0c   Name of Sub-service           Name of System          Function/Responsibilities\n     Organization\n\n\nVarious third-party payroll   Various systems      Third-party payroll processors\nprocessors                                         transmit payroll files to ARC after the\n                                                   end of a pay period. ARC uses these\n                                                   files for recording payroll\n                                                   disbursements.\n\nNorthrop Grumman              GovTrip              NGMS developed and hosts the\nMission Systems (NGMS)                             GovTrip system, which is an E-Gov\n                                                   travel platform. NGMS is the vendor\n                                                   for E-Gov travel selected by the\n                                                   Department of the Treasury.\n                                                   NGMS maintains the data in their\n                                                   Business Data Warehouse for six\n                                                   years and three months.\n\n\nGeneral Services              Central Contractor   Primary registrant database for the\nAdministration (GSA)          Registration (CCR)   U.S. Federal Government; collects,\n                                                   validates, stores and disseminates data\n                                                   in the System for Award Management\n                                                   in support of Customer Agency\n                                                   acquisition missions.\n                                                   ARC\xe2\x80\x99s Oracle and PRISM\nOracle Corporation            Oracle on Demand\n                                                   applications are hosted at Oracle on\n                                                   Demand. Fiscal Service retains\n                                                   application administration\n                                                   responsibilities and Oracle on Demand\n                                                   provides the computer processing\n                                                   infrastructure and support thereto.\n\n                                                   Oracle on Demand staff serve as the\n                                                   database and system administrators\n                                                   and provides backup and recovery\n                                                   services for Oracle and PRISM.\n\n\n\n\n                                           27           Description of Controls Provided\n                                                                    by the Fiscal Service\n\x0cIV.   CONTROL OBJECTIVES, RELATED CONTROLS, AND\n          TESTS OF OPERATING EFFECTIVENESS\n\n\n\n\n                     28   Control Objectives, Related Controls, and\n                                   Tests of Operating Effectiveness\n\x0cACCOUNTING PROCESSING CONTROLS\n\nControl Objective 1 - Obligations\n\nControls provide reasonable assurance that obligations are authorized, reviewed, documented,\nand processed timely in accordance with Administrative Resource Center (ARC) policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of obligations.\n\nPRISM System Interface\nAn obligation is created when a Customer Agency enters into a legally binding contract with a\nvendor for goods or services. The obligation is entered into the accounting system through an\ninterface between PRISM and Oracle. The interface changes the budget status from a\ncommitment (if applicable) to an obligation in the general ledger and updates the corresponding\nsystem tables. The interface between the procurement and accounting systems is real-time. The\nprocurement system has built-in controls that validate information provided by the Customer\nAgency and ensure proper authorization is granted prior to the interface into the accounting\nsystem. These include:\n    \xe2\x80\xa2 Limited options based on roles;\n    \xe2\x80\xa2 Field inputs limited to look-up tables;\n    \xe2\x80\xa2 Data validations;\n    \xe2\x80\xa2 Pre-populated fields for default or standard entries;\n    \xe2\x80\xa2 Validation of funds availability; and\n    \xe2\x80\xa2 Non-editable fields (i.e., total when amount is per unit).\n\nThe interface between PRISM and Oracle is monitored periodically throughout the day by\nsystems analysts. The analysts periodically monitor a report that identifies transactions that have\nbeen in the Pending Financial Approval status for more than 15 minutes and a report that\nidentifies transactions that were disapproved during the Pending Financial Approval status. The\nanalysts monitor the reports to ensure transactions are processed timely and to identify and\ninvestigate any issues. Additionally, for transactions that terminate in Pending Financial Approval\nstatus, the report indicates that when Oracle attempted to insert the record into the general ledger\ndatabase a successful message was not returned. The report lists all transactions currently in this\nstate. The analyst investigates all transactions included in the report to resolve the issues and\nchange the status accordingly.\n\nManually Recorded Obligations \xe2\x80\x93 Customer Agency Approval\nFor obligations not processed through the interface, Customer Agencies and/or Procurement\nsends ARC a signed copy of the agreement or an e-mail to obligate the funds. Upon receipt from\nthe Customer Agency, the ARC technician responsible for processing the Customer Agency\xe2\x80\x99s\naccounting transactions reviews the documentation to ensure that adequate accounting\ninformation has been received, and manually enters the obligation into Oracle. Obligations that\nare posted in Oracle are available for both ARC and Customer Agency review through ad hoc\nDiscoverer reports.\n\n\n\n\n                                               29       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cTemporary Duty Travel System Interface\nCustomer Agencies enter travel authorizations into GovTrip and electronically route them to\nApproving Officials for review and approval. Approving Officials electronically sign the\nauthorization with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d authorizations are interfaced daily via\nbatch processing to Oracle which records an obligation in the general ledger. Each day an\ninterface file is received from Northrop Grumman Mission Systems (NGMS) which is used for\nprocessing, report generation, and identification of exceptions. The file is loaded into the Oracle\ninterface and accepted records are added to Oracle as obligations in the general ledger. A Travel\nOrder Status Report is generated and reviewed to identify and correct data interface errors and\nexceptions between GovTrip and Oracle. To correct transactions of this nature, the transactions\nare manually entered into the system. Approved authorizations in GovTrip are reconciled daily\nby an accounting technician with an Oracle generated report to ensure that all GovTrip\nauthorizations have been interfaced and processed in Oracle. In addition, GovTrip prevents a\nuser from both entering and approving travel authorizations unless they have authorized access.\n\nRelocation Travel System Interface\nThe Relocation Services Branch (RSB) personnel enter PCS travel authorizations into\nmoveLINQ, save as PDF and send them to Approving Officials for review and approval. When\nthe signed document is received by RSB, Relocation Coordinators stamp the document in\nmoveLINQ with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d documents are interfaced daily via batch\nprocess to Oracle which records an obligation in the general ledger. Approved authorizations in\nmoveLINQ are reconciled daily by an accounting technician with an Oracle generated report to\nensure that all moveLINQ authorizations have been interfaced and processed in Oracle.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at various allocation levels.\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer Agency and set-up in Oracle by the\nCustomer Service Branch (CSB). System settings are reviewed with the Customer Agency on an\nannual basis. Budget plans are input into Oracle by ARC staff, based upon budget plans provided\nby Customer Agencies. Budget plans are input into Oracle by ARC Staff and independently\nreviewed.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on obligating\ndocuments. ARC has developed and implemented a standard document-numbering scheme to\navoid duplicate document processing and to enable readers of ARC reports to better identify\nand/or determine the nature of transactions processed by ARC. When an ARC user attempts to\n\n                                               30       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0center a transaction identification number that already exists, Oracle issues an error message that\nalerts the user of the duplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Send approved requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, IPP, webTA, and GovTrip\n    access to ensure appropriateness.\n\xe2\x80\xa2   Approve and return relocation travel authorizations to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Compare actual spending results to budgeted amounts.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures for the processing of obligations and determined that the\n   procedures were formally documented for the processing of obligations.\n2. Observed the validation tables in PRISM and noted that the system was configured to\n   validate obligation document types and to ensure accuracy and completeness of the data\n   interfaced from PRISM to Oracle.\n3. Observed the PRISM Support Desk Staff monitoring the \xe2\x80\x9cPending Financial Approval\xe2\x80\x9d and\n   \xe2\x80\x9cDisapproved during Pending Financial Approval\xe2\x80\x9d reports and noted that the reports\n   appeared to be monitored, and backlogs were not building up.\n4. For a selection of manually entered obligations, inspected evidence of Customer Agency\n   approval and determined that manually entered obligations were approved prior to being\n   entered into Oracle by ARC Staff.\n5. Observed the daily GovTrip interface and noted that approved travel authorizations were\n   interfaced into Oracle and recorded as an obligation.\n6. For a selection of dates, inspected GovTrip to Oracle interface reconciliations and determined\n   that daily reconciliations were performed to ensure that data from GovTrip interfaced to\n   Oracle.\n7. Observed an ARC staff member entering travel vouchers into GovTrip and noted that the\n   system required the travel vouchers to be routed to an approving official.\n8. Observed an approving official attempt to enter and approve travel authorizations and noted\n   that GovTrip prevented a user from both entering and approving travel authorizations.\n9. Observed the daily moveLINQ interface and noted that approved relocation authorizations\n   were interfaced into the Oracle system and recorded as an obligation.\n\n                                              31       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c10. For a selection of days, inspected the reconciliation of authorization from moveLINQ to\n    Oracle and determined that the interface activity was reconciled to ensure all approved\n    authorizations were completely and accurately interfaced to Oracle.\n11. For a selection of Customer Agencies, inspected evidence and determined that for the year\n    they specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n12. Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically\n    rejected the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                            32       Control Objectives, Related Controls, and\n                                                              Tests of Operating Effectiveness\n\x0cControl Objective 2 - Disbursements\n\nControls provide reasonable assurance that the disbursement of invoices and vouchers is\nauthorized, reviewed, processed timely, reconciled, and properly documented in accordance with\nARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of disbursements.\n\nCustomer Agency Invoice Approvals\nARC only processes disbursements for invoices with Customer Agency approval. Vendors can\nsubmit invoices through the Invoice Processing Platform (IPP) or send invoices to the Customer\nAgency or ARC, depending on the instructions in the purchase order. If the vendor submits the\ninvoice through IPP it is routed to the invoice approver designated on the purchase order. If\ninvoices are sent to the Customer Agency, the Customer Agency reviews and approves the\ninvoice and forwards the invoice and documentation of Customer Agency approval to ARC. If\ninvoices are sent to ARC, Customer Agency approval is given through an executed receiving\ndocument, via IPP workflow or ARC submits the invoice to an authorized Customer Agency\ncontact for approval. Appropriate contacts are either specified in the purchase order or are\ncommunicated to ARC by the Customer Agency. Intra-governmental Payment and Collection\ntransactions (IPACs) which decrease an ARC Customer Agency\xe2\x80\x99s Fund Balance with Treasury\n(FBWT) must be approved in advance by the Customer Agency, unless the IPAC was initiated\nagainst the Customer Agency by another federal agency. To ensure that IPAC transactions\ninitiated against the Customer Agency by another federal agency are posted in the proper\naccounting period, ARC may obtain Customer Agency approval after the IPAC has been\nrecorded. Disbursement may also occur with information from feeder systems (PRISM, GovTrip,\nand moveLINQ).\n\nStatistical Sampling of Invoices\nAll invoices are subject to ARC internal review. System controls set at the user identification\nand/or vendor level ensure that payment of invoices greater than or equal to $2,500 which are\nprocessed by an accounting technician must be reviewed and approved by a lead accounting\ntechnician or an accountant. Invoices less than $2,500 are subject to statistical sampling. System\nuser access profiles restrict accounting technicians\xe2\x80\x99 ability to process documents that require\nsecondary review and approval and ensure proper segregation of duties is maintained. A 100%\npost audit management review is conducted monthly on all invoices greater than $2,500 that are\nboth processed and approved by the same individual.\n\nTemporary Duty Travel Vouchers\nCustomer Agencies enter temporary duty travel vouchers into GovTrip and electronically route\nthem to Approving Officials for review and approval. Approving Officials electronically sign the\nvoucher with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d travel vouchers are interfaced daily via\nbatch processing to Oracle which records a disbursement in the general ledger. Each day an\ninterface file is received from the GovTrip System which is used for processing, report\ngeneration, and identification of exceptions. The file is loaded into the Oracle interface and\naccepted records are added to Oracle as disbursements in the general ledger. The travel voucher\nis then matched against an existing authorization. A Travel Voucher Status Report is generated\nand reviewed to identify and correct data interface errors and exceptions between GovTrip and\nOracle. To correct transactions of this nature, the transactions are manually entered into the\nsystem. Approved vouchers in GovTrip are reconciled daily by an accounting technician with an\n\n                                              33       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cOracle generated report to ensure that all GovTrip vouchers have been interfaced and processed\nin Oracle. In addition, GovTrip prevents a user from both entering and approving travel\nvouchers.\n\nStatistical Sampling of Temporary Duty Travel Vouchers\nTemporary Duty Services Branch (TDSB) staff completes a post audit review of temporary duty\ntravel vouchers to verify the accuracy of the interfaced data and compliance with Federal Travel\nRegulations (FTR), using statistical sampling procedures to select documents less than $2,500,\nbased on the Customer Agency\xe2\x80\x99s travel policy (FTR or FTR/ARC). A 100% post audit review is\nconducted on all documents greater than $2,500. Errors discovered during the review are sent via\ne-mail to the traveler or document preparer and approving official to review and/or take action.\nBilling documents are created for amounts owed by a traveler of $25 or greater, resulting from an\noverpayment in which the Customer Agency has declared the overpayment a debt of the\ngovernment. The traveler sends a check to cover the overpayment.\n\nRelocation Services Travel Vouchers\nRSB personnel enter and audit each PCS travel voucher in moveLINQ, save as PDF and then\nsend them to Approving Officials for review and approval. When the signed document is\nreceived by RSB, Relocation Coordinators stamp the document in moveLINQ with a status of\n\xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d documents are interfaced daily via batch processing to Oracle which\nrecords a disbursement in the general ledger. Approved vouchers in moveLINQ are reconciled\ndaily by an Accounting Technician with an Oracle generated report to ensure that all moveLINQ\nvouchers have been processed in Oracle.\n\nPayment Date Calculations\nBased on the Customer Agency\xe2\x80\x99s contracts with its suppliers, ARC staff enters the later of the\ninvoice receipt date, or the earlier of the formal or constructive acceptance dates in Oracle based\non the supporting documentation from the Customer Agency or dates provided by the Customer\nAgency\xe2\x80\x99s approver in IPP. The invoice date is entered into Oracle by ARC staff or interfaces\nfrom the IPP Invoice. On a daily basis, Oracle selects invoices that are due for payment and\ncreates files for manual uploading into Treasury\xe2\x80\x99s Secure Payment System (SPS). The ARC SPS\ncertifying officer compares the number and dollar amount of payments from the SPS generated\nschedule to the payment files generated by Oracle to ensure all payment files have been uploaded\nto Treasury.      For invoices that are subject to the Prompt Payment Act, Oracle schedules\npayments to disburse 30 days after the later of the invoice receipt date and the earlier of the date\nof formal or constructive acceptance (unless the supplier\xe2\x80\x99s contract or invoice states otherwise).\nEffective July 11, 2012, all vendor invoices are scheduled for payment as soon as approved. Any\npayments that are subject to the Prompt Payment Act that are paid after their Oracle scheduled\ndue date are subject to prompt pay interest to cover the period the payment was due but not paid.\nOracle automatically determines if interest is due based on the dates in the accounting system. If\ninterest is due, Oracle calculates interest and generates an interest payment to the vendor,\nprovided the total interest is more than one dollar.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury Activity\nEach month, Treasury\xe2\x80\x99s Fiscal Service issues the Statement of Differences to agency location\ncodes (ALC) when differences are identified between the cash activity reported by the agency on\nthe , Central Accounting Reporting System (CARS) Statement of Transactions(formerly FMS\n224), and data reported to Treasury\xe2\x80\x99s, Collections Information Repository (CIR, formerly TRS),\nPayment Information Repository (PIR), CARS TDO Payments, and IPAC systems. ARC\naccountants minimize month-end disbursement differences by comparing preliminary CARS\nStatement of Transactions disbursement data to data obtained from Treasury\xe2\x80\x99s, CIR, PIR, CARS\n\n                                               34       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cTDO Payments, and IPAC systems. Any differences identified by the accountant are corrected\nby an accounting technician or another accountant prior to the close of the accounting period.\nARC accountants prepare monthly Statement of Differences reconciliations for supervisory\nreview. If a Statement of Differences was received, the transaction(s) that caused the difference is\n(are) identified and if necessary, correcting entries are posted by an accounting technician or\nanother accountant and reported in the subsequent accounting period.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at various allocation levels.\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer Agency and set-up in Oracle by the\nCSB. System settings are reviewed with the Customer Agency on an annual basis. Budget plans\nare input into Oracle by ARC staff, based upon budget plans provided by Customer Agencies.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers for the same vendor\nsite on accounts payable transactions. ARC has developed and implemented a standard\ndocument-numbering scheme to avoid duplicate document processing and to enable readers of\nARC reports to better identify and/or determine the nature of transactions processed by ARC.\nWhen an ARC user attempts to enter a transaction identification number that already exists,\nOracle issues an error message that alerts the user of the duplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that disbursement transactions are\n    complete and accurate.\n\xe2\x80\xa2   Approve invoices for payment and send approved invoices to ARC in a timely manner.\n\xe2\x80\xa2   Ensure that invoices properly reflect the invoice receipt date and formal or constructive\n    acceptance date according to the Prompt Payment Act.\n\xe2\x80\xa2   Approve travel vouchers and accurately enter the vouchers into GovTrip in the proper period.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\n\n                                               35       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to approve invoices and\n    travel vouchers when it is not communicated in the authorizing agreement.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures for the processing of disbursements and determined that the\n   procedures were formally documented.\n2. For a selection of invoices, inspected documentation of Customer Agency authorization and\n   related general ledger entries and determined that disbursements were authorized and\n   processed timely.\n3. For a selection of Intergovernmental Payment and Collection (IPAC) transactions, inspected\n   documentation of Customer Agency authorization and related general ledger entries and\n   determined that disbursements were authorized and processed timely.\n4. Observed an accountant process an invoice over $2,500 and noted that the system\n   automatically routed the invoice to a secondary lead accounting technician or an accountant\n   for review and approval.\n5. For a selection of months, inspected evidence of the statistical review of invoices less than\n   $2,500 and determined that the statistical review was performed subject to statistical sampling\n   by a lead accounting technician or an accountant.\n6. For a selection of months, inspected evidence and determined that the 100% post audit\n   management reviews were conducted monthly on all invoices greater than $2,500 which were\n   both processed and approved by the same individual and determined that the review was\n   performed appropriately.\n7. Observed the daily GovTrip interface and noted that approved travel authorizations were\n   interfaced into Oracle and were recorded as an obligation.\n8. For a selection of days, inspected GovTrip voucher reconciliations and determined that\n   approved vouchers in GovTrip were reconciled daily to Oracle by an accounting technician.\n9. Observed a user in GovTrip attempting to approve their own travel voucher and noted that the\n   system automatically prevented the user from approving their own travel voucher.\n10. There were no temporary duty travel voucher invoices over $2,500 that were processed\n    during the selected months that were processed and approved by the same individual.\n11. Observed relocation vouchers interfaced into Oracle and noted that approved vouchers were\n    interfaced via automated batch process.\n12. For a selection of days, inspected evidence and determined that vouchers in moveLINQ were\n    reconciled daily by an Accounting Technician with an Oracle generated report.\n13. For a selection of days, inspected evidence that the ARC SPS certifying officer compared the\n    number and dollar amount of payments and determined that the review was completed daily\n    to ensure interfaces were uploaded completely.\n14. For a selection of invoices subject to the Prompt Payment Act, inspected documentation and\n    determined that Oracle schedules payments to disburse 30 days after the later of the invoice\n    receipt date and the earlier of the date of formal or constructive acceptance (unless the\n    supplier\xe2\x80\x99s contract or invoice states otherwise).\n\n                                              36       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c15. For a selection of late payments, inspected evidence and determined that proper interest was\n    calculated and paid based on the number of days the payment was late.\n16. For an example late payment, recalculated the interest owed and determined that Oracle\n    calculated interest and generated an interest payment to the vendor.\n17. For a selection of months, inspected the Statement of Differences and determined that\n    supervisors reviewed the reconciliations.\n18. For identified differences from the selection of months and Customer Agencies, inspected\n    evidence and determined that accounting technicians or another accountant corrected\n    differences prior to the close of the accounting period or in the subsequent accounting period\n    if necessary, based on timing.\n19. For a selection of Customer Agencies, inspected evidence and determined that for the year\n    they specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n20. Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                              37       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 3 \xe2\x80\x93 Unfilled Customer Orders, Receivables, and Cash Receipts\n\nControls provide reasonable assurance that unfilled customer orders, receivables, and cash\nreceipts are reconciled and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of unfilled customer\norders, receivables, and cash receipts.\n\nCustomer Agency Approval\nARC only processes unfilled customer orders, receivables, and cash receipts with Customer\nAgency approval, with the exception of checks received for deposit directly by ARC on the\ncustomer\xe2\x80\x99s behalf for accounts payable invoice refunds of overpayments and/or vendor rebates.\nCustomer Agencies either send signed source documents or provide a summary of their\ntransactions via fax or e-mail. ARC enters all transactions into Oracle, which are available for\nreview through reporting systems. To help ensure that cash receipts are posted in the proper\naccounting period, ARC may obtain Customer Agency approval after the cash receipt has been\nrecorded.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury Activity\nEach month, Treasury\xe2\x80\x99s Fiscal Service issues the Statement of Differences to ALCs when\ndifferences are identified between the cash activity reported by the agency on the CARS,\nStatement of Transactions, and data reported to Treasury\xe2\x80\x99s CA$HLINK II , CIR, PIR, TRS and\nIPAC systems. ARC accountants minimize month-end differences relating to collections by\ncomparing preliminary CARS collection data to Treasury\xe2\x80\x99s, CIR, PIR, CARS TDO and IPAC\nsystems. Any differences identified by the accountant are corrected by an accounting technician\nor another accountant prior to the close of the accounting period. ARC accountants prepare\nmonthly Statement of Differences reconciliations for supervisory review. If a Statement of\nDifferences was received, the transaction(s) that caused the difference is (are) identified and if\nnecessary, correcting entries are posted by an accounting technician or another accountant and\nreported in the subsequent accounting period.\n\nReporting - Receivables\nARC accountants prepare and submit a quarterly Report on Receivables Due from the Public for\nall Customer Agencies. This report requires agencies to track the collection of receivables and\nreport on the status of delinquent balances according to an aging schedule. Accountants that are\nresponsible for preparing the Report on Receivables Due from the Public review and reconcile all\nactivity (i.e., new receivables, revenue accruals, collections, adjustments and write-offs) with the\npublic on a quarterly basis. An ARC supervisory accountant reviews the report. Customer\nAgencies are responsible for monitoring and pursuing collection of delinquent balances. On an\nannual basis, the Customer Agency\xe2\x80\x99s Chief Financial Officer must certify that the report\nsubmitted to the Department of the Treasury is accurate and consistent with agency accounting\nsystems.\n\nIntra-governmental Transactions\nARC adheres to applicable intra-governmental elimination guidance. This involves recording\ntransactions at a level that allows for identification of its governmental trading partners and for\nreconciling the transactions/balances with trading partners on a quarterly basis. For its non-\nTreasury and non-Homeland Security Customer Agencies, ARC accountants reconcile fiduciary\n\n                                               38       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0caccount balances with their trading partners (Fiscal Service, Office of Personnel Management and\nDepartment of Labor) after uploading account balances into the Intragovernmental Fiduciary\nConfirmation System (IFCS). The Department of Treasury and the Department of Homeland\nSecurity utilize IFCS to reconcile Treasury and Homeland Security agency fiduciary account\nbalances with trading partners. For the non-fiduciary transactions of its Customer Agencies,\nARC accountants prepare and submit confirmations to the appropriate trading partners in\naccordance with the elimination reconciliation guidance. Upon submitting the confirmations to\nthe trading partners, ARC works with the trading partners to reconcile transactions/balances and\nidentify and record any necessary adjustments. Reconciliations are not performed for non-\nTreasury Customer Agencies. Non-Treasury Customer Agencies receive confirmations only.\n\nDocument Numbering\nAll accounting entries recorded in Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on unfilled customer\norders and receivables. A system control alerts the user of the use of duplicate document numbers\non cash receipt and advance transactions. ARC has developed and implemented a standard\ndocument-numbering scheme to avoid duplicate document processing and to enable readers of\nARC reports to better identify and/or determine the nature of transactions processed by ARC.\nWhen an ARC user attempts to enter a transaction identification number that already exists,\nOracle issues an error message that alerts the user of the duplication.\n\nCustomer Agency Control Consideration\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Send approved and accurate documentation of unfilled customer orders, receivables, and cash\n    receipts transactions, to ARC in the proper period.\n\xe2\x80\xa2   Review unfilled customer orders, receivable and advance reports for completeness, accuracy,\n    and validity.\n\xe2\x80\xa2   Monitor and pursue collection of delinquent balances.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures for the processing of unfilled customer orders, cash receipts,\n   receivables, advances, and write-offs and observed ARC personnel process transactions, and\n   determined that the transactions were processed in accordance with the procedures.\n2. For a selection of unfilled customer orders, inspected documentation of Customer Agency\n   authorization and determined that transactions were authorized by Customer Agencies.\n3. For a selection of receivables, inspected documentation of Customer Agency authorization\n   and determined that transactions were authorized by Customer Agencies.\n4. For a selection of cash receipts, inspected documentation of Customer Agency authorization\n   and determined that transactions were authorized by Customer Agencies.\n5. For a selection of months, inspected Statement of Differences reconciliations and determined\n   that reconciliations were documented and that any correcting entries were posted by an\n   accounting technician or another accountant and reported in the subsequent accounting\n   period.\n\n                                             39        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c6. For a selection of quarters, inspected the Report on Receivables Due from the Public\n   reconciliations and determined that reconciliations were documented.\n7. For a selection of quarters, inspected Reports on Receivables Due from the Public and\n   determined that they were reviewed by an ARC supervisory accountant.\n8. Inspected a quarterly selection of intra-governmental confirmations and reconciliations and\n   determined that confirmations were sent, reconciliations were documented, and trading\n   partners identified.\n9. Inspected a quarterly selection of non-Treasury and non-Homeland Security Customer\n   Agency intra-governmental Fiduciary Confirmation System balances and determined that\n   fiduciary account balances were reconciled with trading partner balances.\n10. Inspected a selection of non-fiduciary transaction confirmations of ARC Customer Agencies\n    and determined that ARC accountants prepared and submitted confirmations to the\n    appropriate trading partners in accordance with the elimination reconciliation guidance.\n11. Inspected a selection of transaction(s)/balance(s) reconciliations and determined that upon\n    submitting the confirmations to the trading partners, ARC worked with the trading partners to\n    reconcile transactions/balances and identify and record any necessary adjustments.\n12. Inspected a selection of reconciliations and determined that confirmations are sent when\n    differences are noted for non-Treasury Customer Agencies.\n13. Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\nNo exceptions noted.\n\n\n\n\n                                             40        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 4 - Deposits\n\nControls provide reasonable assurance that checks are secure and deposited timely by appropriate\npersonnel and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for the safeguarding and recording of deposits.\n\nSafeguarding Checks\nChecks received by the mailroom are scanned individually with the supporting documentation\nthat came with each check. Each check with the documentation is saved as a separate file at this\nlocation: \\\\vm-int-w-app-05\\DSFilesBPD\\OMS\\DAS\\Mail Services. The checks, along with the\noriginal documentation, are sent to the A3F mail drop by the mail deliverer and signed for if\ndelivery confirmation was requested. An ARC accounting technician (who does not have\naccounting system access to post accounts receivable transactions) receives, opens and logs all\nchecks received in the branch\xe2\x80\x99s check deposit log. The same technician retrieves the scanned\nimages from \\\\vm-int-w-app-05\\DSFilesBPD\\OMS\\DAS\\Mail Services and saves each image in\nthe appropriate folder by branch. These scanned files are archived at the end of each month. For\nreconciliation purposes, the check total scanned by mail services is compared to the number\nreceived by placing a \xe2\x80\x9cyes\xe2\x80\x9d in the \xe2\x80\x9ccheck received?\xe2\x80\x9d column on each check log. This confirms\nthat all checks scanned at mail services were received and logged by the technician.\n\nChecks are to be deposited as soon as possible after the purpose and validity of the check\xe2\x80\x99s\nissuance are identified. The accounting technician is responsible for processing deposits, but the\nCustomer Agency is responsible for researching the check\xe2\x80\x99s purpose and validity. The checks are\nlocked in the ARC PSB safe located by the PSB supervisor until they are ready to be deposited.\n\nManual Deposits \xe2\x80\x93 Segregation of Duties\nWhen the check is ready for manual deposit, a deposit ticket and the check are placed in a locked\nbag and picked up by the mail clerk. A copy of the deposit ticket is retained by the ARC\naccounting technician for comparison with the receipt and deposit ticket signed by the bank teller.\nThe mail clerk delivers the locked bag containing the deposit ticket and checks to the local federal\ndepository. The bag containing the bank teller\xe2\x80\x99s deposit ticket and receipt are returned to the\nbranch office that processed the deposit. After the bank teller receipt and deposit ticket are\ncompared to the copy retained by the branch and the ARC accounting technician updates the\ncheck deposit log to record the date the deposit was made, an independent ARC accounting\ntechnician processes the cash receipt in the accounting system. ARC stopped processing manual\ndeposits as of December 31, 2012 since all Customer Agencies were migrated to the Over the\nCounter Channel Application.\n\nPaper Check Conversion System Deposits and Reconciliation\nFor customers using the Paper Check Conversion Over the Counter (PCC OTC) system, an ARC\naccounting technician will scan each check into the PCC OTC system. The batch list is\nautomatically saved temporarily to the server until it is transmitted to the Federal Reserve Bank\n(FRB) by the ARC accounting technician. Upon settlement with the FRB, the ARC accounting\ntechnician reconciles the batch list with the paper checks and signs off to indicate the\nreconciliation is complete. After reconciliation, the checks are held awaiting confirmation of the\ndeposit in the Financial Management Service\xe2\x80\x99s deposit application, CA$HLINK II. Upon\nconfirmation, the ARC accounting technician destroys the checks. The cash receipt is recorded in\nOracle by an independent ARC accounting technician. ARC stopped processing checks using\n\n                                               41       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cPCC OTC as of December 31, 2012 since all Customer Agencies were migrated to the Over the\nCounter Channel Application.\n\nOver the Counter Channel Application\nOver the Counter Channel Application (OTCnet) is a web-based application that integrates the\nfunctionality of PCC OTC and Treasury General Account Deposit Reporting Network (TGAnet).\nOTCnet's design accommodates \xe2\x80\x9ccheck capture\xe2\x80\x9d and \xe2\x80\x9cdeposit reporting and processing\xe2\x80\x9d using\nelectronic collection mechanisms instead of paper based processing. Throughout 2012, all\nagencies migrated from manual deposits and PCC to OTCnet. All deposits were processed using\nOTCnet starting on January 1, 2013.\n\nOn the \xe2\x80\x9ccheck capture\xe2\x80\x9d side of OTCnet, checks are scanned for deposit and a batch list is created.\nThe batch list is automatically saved temporarily to the server until it is transmitted to the Federal\nReserve Bank (FRB) by the ARC accounting technician. Upon settlement with the FRB, the\nARC accounting technician reconciles the batch list with the paper checks and signs off to\nindicate the reconciliation is complete. After reconciliation, the checks are held awaiting\nconfirmation of the deposit in the Financial Management Service\xe2\x80\x99s deposit application,\nCA$HLINK II. Upon confirmation, the ARC accounting technician destroys the checks. The\ncash receipt is recorded in Oracle by an independent ARC accounting technician. Note:\nCA$HLINK II was deactivated December 31, 2012. The functions of CA$HLINK II are provided\nby the Collections Information Repository (CIR, formerly TRS).\n\nOn the \xe2\x80\x9cdeposit reporting and processing\xe2\x80\x9d side of OTCnet, an ARC accounting technician will\nmanually enter the deposit information into the OTCnet system. A deposit ticket and the check(s)\nare sent in a locked money bag that is picked up by a mail clerk who then delivers it to the local\nfederal depository. A copy of the deposit ticket is retained by the ARC accounting technician for\ncomparison with the deposit receipt from the bank teller and the confirmed deposit ticket from the\nOTCnet system. The money bag containing the bank teller's deposit receipt is returned to the\nbranch office that processed the deposit. After the bank teller receipt and OTCnet confirmed\ndeposit ticket are compared to the copy retained by the branch, the cash receipt is recorded in\nOracle by an independent ARC accounting technician.\n\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures for the safeguarding and recording of deposits and determined\n   that ARC had documented procedures for the safeguarding and recording of deposits.\n2. Inspected the checks received by the mailroom and the associated deposit check log and\n   determined that the deposit check log agrees to the original checks..\n3. Inspected a selection of check deposit logs and determined that an ARC administrative staff\n   member who did not have accounting system access to post account receivable transactions,\n   received, opened and logged all checks received in the branch\xe2\x80\x99s check deposit log.\n4. Inspected a selection of check deposit records and check issuance attributes and determined\n   checks were deposited as soon as possible after the purpose and validity of the check\xe2\x80\x99s\n   issuance were identified.\n5. During our testing we were unable to observe the manual deposit process since it was no\n   longer used after December 31, 2012. We inspected the check log and noted there were two\n   manual deposits prior to December 31, 2012. We inspected procedures and observed\n\n                                                42        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0c   example walkthroughs for manual deposits and determined ARC had procedures in place for\n   manual deposits.\n6. During testing, there were no PCC check deposits during the period and the process was no\n   longer being used after December 31, 2012. We inspected procedures for performing the\n   PCC reconciliation and determined ARC had procedures in place for the PCC process.\n7. Inspected a selection of check deposits and the subsequent posting to Oracle of OTCnet\n   confirmed deposit receipts to those retained by the ARC branch and determined that the total\n   checks were posted completely and accurately to Oracle.\n\n\nNo exceptions noted.\n\n\n\n\n                                            43        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 5 \xe2\x80\x93 Payroll Accruals\n\nControls provide reasonable assurance that period-end payroll accruals are processed timely,\nreviewed, and properly documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of payroll accruals.\n\nSystem Calculation of Accruals\nPayroll accruals are recorded on a monthly basis and reversed in the subsequent accounting\nperiod. The payroll accrual is a prorated calculation performed by the accounting system that is\nbased on the most recent payroll disbursement data available. To make its calculation, the\naccounting system requires a payroll accountant to enter specific parameters (e.g., number or\npercentage of workdays to accrue and the base pay period number).\n\nComplementary Customer Agency Controls\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll accruals are complete\n    and accurate.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected written procedures for the processing of payroll accruals and determined that the\n   procedures were formally documented for the processing of payroll accruals.\n2. For a selection of months, inspected payroll accruals for a selection of Customer Agencies for\n   entry into the system and determined that payroll accruals were entered timely.\n\n\nNo exceptions noted.\n\n\n\n\n                                             44        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 6 \xe2\x80\x93 Payroll Disbursements\n\nControls provide reasonable assurance that payroll disbursement data (disbursed by a third-party)\nis reviewed, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of payroll disbursements.\n\nAutomated Payroll Posting Process\nThird-party payroll processors transmit payroll files to ARC during the first and/or second weeks\nafter the end of a pay period, depending on the payroll provider and the need to record payroll\nadjustments. Upon converting the data into a format that can be uploaded into Oracle, the ARC\npayroll accountant reconciles the converted data to the original raw data from the third-party\nprocessors. The ARC payroll accountant processes payroll entries using a batch interface that\nposts summary payroll data to Oracle. The payroll accountant reviews and corrects transactions\nthat reject in the interface. A Discoverer report is used to identify those records that reject. The\npayroll accountant contacts the customer for resolution of erroneous accounting codes, funding\nissues, or other circumstances that would prevent the payroll from being recorded. Until the\nerrors are cleared, the data is viewed as invalid and will not be able to be posted to the general\nledger. If the third-party payroll processor provides adjustment files for additional transactions\nbetween main payroll files, the ARC payroll accountant follows the same procedure for\nprocessing these files.\n\nReconciliation \xe2\x80\x93 Payroll Activity\nPayroll accountants prepare a monthly reconciliation of payroll disbursements recorded in Oracle\nand payroll disbursements as reflected on the CARS Account Statement. The payroll accountant\ninvestigates and resolves any differences identified. This reconciliation is reviewed and approved\nby the supervisor or manager of ARC\xe2\x80\x99s Central Accounting Branch. In addition, ARC prepares\nmonthly CARS Account Statement reconciliations from the general ledger to Treasury\xe2\x80\x99s record.\nAny reconciliation differences identified by the branch accountant who prepares the CARS\nAccount Statement reconciliation, that requires correction, are posted by another accountant or\naccounting technician in a subsequent accounting period. ARC supervisory accountants review\nand approve the CARS Account Statement/Fund Balance with Treasury reconciliations.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Verify that payroll processed by third-party providers is complete and accurate.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll disbursements are\n    complete and accurate.\n\n\n\n\n                                               45       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures for the processing of payroll disbursements and determined that\n   the consistent use of the procedures by staff was documented to help prevent the inaccurate,\n   unauthorized, or untimely entry of payroll disbursements into ARC information systems.\n2. Inspected an interface error report and determined that during the interface, input files were\n   checked for errors and interface error reports were created if errors were identified and\n   determined that data would not interface until errors were corrected.\n3. For a selection of months, inspected payroll reconciliations and determined that\n   reconciliations were performed and that any exceptions were resolved.\n4. For a selection of months, inspected CARS Account Statement reconciliations and\n   determined that reconciliations were performed and that any exceptions were resolved.\n\n\nNo exceptions noted.\n\n\n\n\n                                             46        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 7 - USSGL\n\nControls provide reasonable assurance that transactions are processed in accordance with the U.S.\nStandard General Ledger (USSGL) and Treasury Financial Manual (TFM) guidance.\n\nDescription of Controls\n\nARC has documented procedures for processing transactions consistent with the USSGL.\n\nTransaction Set-up Controls\nARC records proprietary and budgetary accounting entries using the USSGL at the transaction\nlevel. This is accomplished using a combination of transaction code, system setup, Sub-Ledger\nAccounting (SLA) and data entry in Oracle. In addition, Oracle cross-validation rules have been\nestablished to prevent transactions from being processed to inappropriate USSGL accounts.\n\nARC follows the TFM to establish accounting transaction posting models in Oracle. System\nadministrators require authorization from a supervisor or manager to establish new posting\nmodels for transaction processing.\n\nOn an annual basis, ARC reviews the USSGL Board\xe2\x80\x99s proposed and approved additions,\ndeletions and/or modifications to USSGL account titles and/or account descriptions to determine\ntheir applicability to ARC Customer Agencies. Once the changes to the USSGL are approved by\nTreasury\xe2\x80\x99s Fiscal Service and the new TFM guidance is issued (generally mid-summer), ARC\nsupervisors and managers communicate the appropriate changes to system administrators to\nensure the accounting transaction posting models are revised.\n\nGeneral Ledger Account Reconciliations\nAccountants perform general ledger account reconciliations (utilizing accounting system sub\nledgers or Excel spreadsheets) on balance sheet accounts except where account sub ledgers are\nnot made available to ARC, for supervisory review, to ensure related accounting transactions\nwere posted to the appropriate general ledger accounts. ARC accountants prepare budgetary to\nproprietary account relationship reconciliations on a monthly basis, for supervisory review, to\nensure complete general ledger account posting for all recorded transactions. An accounting\ntechnician or an accountant corrects invalid out-of-balance relationships.\n\nFACTS I Edit Checks\nARC enters pre-closing adjusted trial balances for its non-Treasury customers, except for the\nDepartment of Homeland Security, into the FACTS I system at the Treasury appropriation/fund\ngroup level using USSGL accounts and attributes. Treasury\xe2\x80\x99s Fiscal Service maintains the\nFACTS I system. The FACTS I system checks that the trial balance has, in aggregate, equal debit\nand credit balances before the trial balance can be submitted in FACTS I. FACTS I also flags\nabnormal balances for scrutiny by an ARC accountant. After entering the adjusted trial balances\ninto FACTS I, ARC reviews the submitted balances and resolves any invalid abnormal balances\nor out-of-balance conditions. Once any necessary corrections have been made, the accountant\nsubmits the adjusted trial balance into the FACTS I system.\n\nFACTS II Edit Checks\nARC submits the FACTS II files for its non-Treasury customers, except for the Department of\nHomeland Security, using a bulk file upload. Accountants create the bulk files by running a job\nwithin the Oracle application. Oracle requires the data to pass several edit checks before it will\ncreate the bulk file. ARC manually uploads the FACTS II files into the FACTS II system.\n\n                                              47       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cTreasury\xe2\x80\x99s Fiscal Service maintains the FACTS II system. The FACTS II system performs\nUSSGL edit checks and rejects any files that fail the edit checks. ARC investigates and resolves\nany files rejected by the FACTS II system.\n\nTreasury Information Executive Repository (TIER) Validation Checks\nFor ARC\xe2\x80\x99s Treasury and Department of Homeland Security Customer Agencies, FACTS I and II\nreporting requirements are met using TIER. TIER is a departmental data warehouse that receives\nmonthly uploaded financial accounting and budgetary data from the bureaus and other reporting\nentities in a standardized format. Data submitted to TIER by an ARC accountant is validated\nbased on system-defined validation checks.\n\nARC utilizes custom solutions that extract accounting and budgetary data from Oracle to\ngenerate necessary TIER data. TIER has a standardized chart of accounts that is compliant with\nUSSGL guidance issued by the Department of the Treasury. FACTS II edit checks are\nincorporated in the TIER validation checks. After submitting the adjusted trial balances into\nTIER, ARC accountants review the edit reports and resolve any invalid attributes or out-of-\nbalance conditions. ARC accountants document this review by completing the TIER Submission\nChecklist, which is further reviewed by a supervisor.\n\nFinancial Statement Crosswalks\nARC accountants prepare a Balance Sheet, Statement of Net Cost and Statement of Budgetary\nResources for all Customer Agencies that are covered by the Chief Financial Officer Act and the\nAccountability of Tax Dollars Act of 2002. The statements are submitted each quarter to the\nDirector of the Office of Management and Budget (OMB) and the Congress. Additionally, ARC\naccountants prepare the Statement of Changes in Net Position, and Statement of Custodial Activity\n(when applicable) for all Customer Agencies. ARC accountants compare TFM financial\nstatement crosswalks to ARC\xe2\x80\x99s internally prepared financial statements to ensure compliance\nwith the Customer Agency's government wide reporting requirements. ARC investigates and\nresolves any differences between TFM financial statement crosswalks and ARC\xe2\x80\x99s internally\nprepared financial statements.\n\nFinancial Statement Review\nFor Department of Treasury and Department of Homeland Security Customer Agencies, quarterly\nfinancial statements are produced by departmental systems using the data submitted in TIER.\nQuarterly consolidated financial statements are submitted to the Director of OMB and the\nCongress by the Department. ARC accountants compare the quarterly financial statements to\nARC\xe2\x80\x99s internally prepared financial statements, which is further reviewed by a supervisor, and\nany differences are resolved.\n\nFinancial Statement Variance Analysis\nFor both Department of Treasury and Department of Homeland Security Customer Agencies,\naccountants prepare a quarterly financial statement variance analysis. Explanations for variances\nthat exceed Department materiality thresholds must be provided to the Department. The\nDepartment submits a consolidated analysis to OMB. The bureau variance analysis is reviewed\nby an ARC supervisory accountant and approved by the bureau CFO or designee prior to\nsubmission to the Department. The Homeland Security bureau variance analysis is also certified\nby an ARC manager and the Homeland Security's CFO or designee also approves the variance\nanalysis.\n\nFor non-Treasury and non-Homeland Security Customer Agencies, accountants prepare a\nquarterly financial statement variance analysis for interim periods based on the guidance in OMB\n\n                                             48        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cCircular A-136. Explanations for variances that exceed the OMB Circular A-136 guidelines are\nprovided to OMB. The variance analysis is reviewed by an ARC supervisory accountant prior to\nsubmission to OMB.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review and approve, prior to submission, the financial reports prepared by ARC to ensure\n    that all reports prepared for external use are complete, accurate, and submitted in a timely\n    manner.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected written procedures for the processing of transactions consistent with the USSGL\n   and determined that procedures were documented.\n2. Observed the processing of a transaction to an inappropriate USSGL account and noted the\n   existence of Oracle cross-validation rules.\n3. Inspected a list of users with access to change posting models and determined that system\n   administrators had access to administer posting models.\n4. For a selection of posting model changes and additions, inspected ARC supervisory approval\n   of the changes and inspected TFM/USSGL guidance and determined that the changes and\n   additions were authorized and that they were in agreement with TFM/USSGL guidance.\n5. Inspected evidence of the annual review of USSGL account titles and descriptions and\n   determined that the annual review was performed by ARC supervisors and Managers.\n6. For a selection of months, inspected monthly general ledger account reconciliations and\n   determined that reconciliations were performed, any exceptions were resolved and the\n   reconciliation was reviewed by an ARC supervisor.\n7. Inspected a selection of FACTS I edit check reports and determined that FACTS I was\n   completed, reviewed, and any issues were resolved.\n8. Inspected a selection of Reporting and Reconciliation Internal Control Checklists and\n   determined that the FACTS I was completed.\n9. Observed the staff run the Oracle job that creates the FACTS II bulk data upload file and\n   noted that Oracle edit checks were applied to the data, and that the ARC accountant resolved\n   any exceptions.\n10. Inspected a selection of TIER Submission Checklists and determined that TIER submissions\n    were reviewed by a supervisor.\n11. For a selection of quarters for a selection of Customer Agencies, inspected ARC comparison\n    of TFM financial statement crosswalk with ARC\xe2\x80\x99s internally prepared financial statements\n    and determined that ARC complied with reporting requirements.\n12. Inspected results of ARC\xe2\x80\x99s investigation of Treasury\xe2\x80\x99s financial statement crosswalk and\n    ARC\xe2\x80\x99s internally prepared financial statements and determined that ARC investigated and\n    resolved any differences.\n\n\n\n                                             49       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c13. Inspected selection of quarterly financial statement reviews and determined that the\n    reconciliations were reviewed and approved by a supervisor.\n14. For a selection of months, inspected reconciliation of financial statements prepared by\n    Treasury to internally prepared financial statements and determined that reconciliations were\n    performed, any exceptions were resolved and they were reviewed by a supervisory accountant\n    before submission.\n\n\nNo exceptions noted.\n\n\n\n\n                                             50        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 8 - Accruals\n\nControls provide reasonable assurance that the period-end accruals are authorized, processed\ntimely, reviewed, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of accruals.\n\nCustomer Review of Revenue and Expense Accruals\nAccounting technicians record period-end accruals for goods and services provided/received, but\nnot billed/invoiced, in Oracle based on instruction provided from the Customer Agency.\n\nFor all Customer Agencies, except the Treasury Franchise Fund, accounting technicians record\nperiod-end accruals for goods and services provided, but not billed in the accounting system\nthrough standard accrual transactions.\n\nFor Treasury Franchise Fund Customer Agencies, accounting technicians record period-end\naccruals for goods and services provided but not billed in Oracle using an automated journal entry\nprocess. The amounts recorded are based on information provided by e-mail from the Customer\nAgency. Accounting technicians enter information received from the Customer Agency into a\nspreadsheet template. An accountant reviews the spreadsheet and converts it into a data file that\nis automatically loaded into Oracle and reviewed and approved by a supervisory accountant.\n\nNon-Invoice Accrual Reviews\nAccountants record non-invoice related expense accruals, such as workers' compensation and\nleave liability in Oracle. The workers' compensation accruals are based on historical trend\nanalysis and/or actual costs incurred. The leave liability accruals are based on data provided by\nthe Customer Agency's payroll provider or Human Resources office. For applicable Customer\nAgencies, the ARC payroll accountant processes payroll leave accrual entries using a batch\ninterface that posts summary payroll data to Oracle. For non-batch interfaced leave accruals, a\nsupervisory accountant reviews the accrued employee benefits to determine that the accrual is\nprocessed and posted.\n\nTIER Submission Checklist\nSupervisory accountants validate the quality of TIER data by reviewing an ARC accountant-\nprepared TIER Submission Checklist, which includes verification that non-invoice related\nexpense accruals are posted at least quarterly.\n\nGeneral Ledger to Subledger Reconciliation\nOn a monthly basis, ARC accountants prepare a reconciliation of revenue and expense accrual\nbalances in the general ledger to the sub ledger detail, which is reviewed by a supervisor.\nAccountants reconcile only billed revenue accruals since unbilled revenue accruals are recorded\ndirectly in the general ledger. Any differences identified are corrected by an accounting\ntechnician or accountant in the subsequent accounting period.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the\n\n                                              51       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cvarious allocation levels.\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer Agency and set-up in Oracle by the\nCSB. System settings are reviewed with the Customer Agency on an annual basis. Budget plans\nare input into Oracle by ARC Staff and independently reviewed.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on revenue and\nexpense accruals processed through standard accrual transactions. ARC has developed and\nimplemented a standard document-numbering scheme to avoid duplicate document processing\nand to enable readers of ARC reports to better identify and/or determine the nature of transactions\nprocessed by ARC. When an ARC user attempts to enter a transaction identification number that\nalready exists, Oracle issues an error message that alerts the user of the duplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review open obligation and accrual reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Approve and send revenue and expense accruals to ARC in a timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected written procedures for the processing of accruals and observed ARC staff\n   processing accruals, and noted that the processing was in accordance with the procedures.\n2. For a selection of accruals, inspected documentation of Customer Agency authorization and\n   supervisory accountant review and determined that the accruals were authorized and reviewed\n   appropriately.\n3. For a selection of months, inspected non-invoice batch payroll leave accruals and determined\n   that the files were sent to ARC for processing and posting of summary payroll data to the core\n   accounting system.\n4. For a selection of months, inspected non-invoice non-batch leave accrual and determined that\n   a supervisory accountant reviewed the manually calculated leave accruals to ensure they were\n   properly calculated and input into Oracle.\n\n                                               52       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c5. For a selection of months, inspected TIER Submission Checklists for evidence of ARC\n   supervisory review of TIER data and timeliness of submission and determined that\n   submissions have been reviewed.\n6. For a selection of months, inspected scorecard documentation and determined that scorecards\n   were maintained for supervisory review.\n7. For a selection of months, inspected reconciliation of revenue and expense accrual balances in\n   the general ledger to the subledger detail and determined that reconciliations were performed\n   and that any exceptions were resolved.\n8. For a selection of Customer Agencies, inspected budget instructions and determined that for\n   the current year they specified their budget controls, they were input by CSB staff, and then\n   reviewed by a supervisor for completeness and accuracy.\n9. Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n   number that had already been entered into Oracle and noted that Oracle automatically rejected\n   the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                             53        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 9 \xe2\x80\x93 Government-Wide Reporting\n\nControls provide reasonable assurance that Government-wide reporting is performed in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the preparation of government-wide\nreports.\n\nFACTS I & II\nARC policies require the submission of FACTS I and FACTS II reports based on Fiscal Service\xe2\x80\x99s\ncriteria for these applications. All reports must pass all FACTS edit checks. For non-Treasury\nCustomer Agencies, except the Department of Homeland Security, supervisory accountants\nreview all submissions prepared by accountants and review all data to ensure all reporting\ndeadlines are met. All fourth quarter FACTS II submissions require certification by an ARC\nsupervisor or manager, or other designated Customer Agency representative.\n\nTIER\nTreasury reporting entities are required to submit financial accounting and budgetary data each\nmonth to TIER, Treasury\xe2\x80\x99s data warehouse within Treasury\xe2\x80\x99s submission timeline which is\ngenerally the third business day of the subsequent month. The Department of Homeland Security\nreporting entities are required to submit financial accounting and budgetary data each month to\nTIER, Homeland Security\xe2\x80\x99s data warehouse, within Homeland Security\xe2\x80\x99s submission timeline.\nTo meet this requirement, ARC performs the Oracle month-end close processes on the second\nbusiness day after the end of the month. Supervisory accountants validate the quality of TIER\ndata to ensure reporting deadlines are met by reviewing an accountant-prepared TIER Submission\nChecklist. The TIER Submission Checklist consists of internally and Treasury department\ndefined data quality standards.\n\nPrompt Payment\nARC follows the Treasury guidelines for the Prompt Payment report for its customers. ARC\nprepares these reports timely. Independent accountants review these reports before submission.\nTreasury also requires that a Customer Agency representative sign the Prompt Payment reports.\nEFT is no longer required for submission to Treasury and beginning with FY 2013, Prompt\nPayment submission is quarterly.\n\nFinancial Statements\nARC accountants prepare a Balance Sheet, Statement of Net Cost and Statement of Budgetary\nResources for all Customer Agencies that are covered by the Chief Financial Officer Act and the\nAccountability of Tax Dollars Act of 2002. The statements are to be submitted each quarter to\nthe Director of the OMB and the Congress. Additionally, ARC accountants prepare the Statement\nof Changes in Net Position and Statement of Custodial Activity (when applicable) for all\nCustomer Agencies. ARC accountants compare TFM financial statement crosswalks to ARC\xe2\x80\x99s\ninternally prepared financial statements to ensure compliance with the reporting requirements.\nARC investigates and resolves any differences between TFM financial statement crosswalks and\nARC\xe2\x80\x99s internally prepared financial statements.\n\nFinancial Statement Review\nFor Department of Treasury and Department of Homeland Security Customer Agencies, quarterly\nfinancial statements are produced by departmental systems using the data submitted in TIER.\n\n                                            54        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cQuarterly consolidated financial statements are submitted to the Director of OMB and the\nCongress by the Department. ARC accountants compare the quarterly financial statements to\nARC\xe2\x80\x99s internally prepared financial statements, for supervisory review, and resolves any\ndifferences.\n\nFinancial Statement Variance Analysis\nFor both Department of Treasury and Department of Homeland Security Customer Agencies,\naccountants prepare a quarterly financial statement variance analysis. Explanations for variances\nthat exceed Department materiality thresholds must be provided to the Department. The\nDepartment submits a consolidated analysis to OMB. The bureau variance analysis is reviewed\nby an ARC supervisory accountant prior to submission to the Department.\n\nFor non-Treasury and non-Homeland Security Customer Agencies, accountants prepare a\nquarterly financial statement variance analysis for interim periods based on the guidance in OMB\nCircular A-136. Explanations for variances that exceed the OMB Circular A-136 guidelines are\nprovided to OMB with the quarterly financial statement submission. The variance analysis is\nreviewed by an ARC supervisory accountant prior to submission to OMB.\n\nReceivables\nARC accountants prepare and submit a quarterly Report on Receivables Due from the Public for\nall Customer Agencies. The report is reviewed by an ARC supervisory accountant prior to\nsubmission to Treasury.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review and approve, prior to submission, the financial reports prepared by ARC to ensure\n    that all reports prepared for external use are complete, accurate, and submitted in a timely\n    manner.\n\xe2\x80\xa2   Provide certification of FACTS II to ARC prior to ARC\xe2\x80\x99s FACTS II system certification.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected written procedures and determined that ARC had documented procedures for the\n   preparation of government-wide reports.\n2. For a selection of fourth quarter FACTS II submissions, inspected evidence of management\n   review and determined that they were reviewed and certified.\n3. For a selection of months, inspected TIER Submission Checklists for evidence of ARC\n   supervisory review of TIER data and timeliness of submission and determined that\n   submissions have been reviewed.\n4. For a selection of months, inspected scorecard documentation and determined that scorecards\n   are maintained for supervisory review.\n5. For a selection of months, inspected EFT and Prompt Payment reports and determined that\n   they were reviewed by a supervisory accountant before submission.\n\n\n\n                                             55        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c6. For a selection of months, inspected reconciliations of financial statements prepared by FARS\n   to internally prepared financial statements and determined that reconciliations were reviewed\n   and that any differences were resolved.\n7. For a selection of months, inspected reconciliation of financial statements prepared by FARS\n   to internally prepared financial statements and determined that reconciliations were\n   performed and any exceptions were resolved and were reviewed by a supervisory accountant\n   before submission.\n8. For a selection of quarters, inspected the Report on Receivables Due from the Public\n   reconciliations and determined that reconciliations were documented.\n9. For a selection of quarters, inspected Reports on Receivables Due from the Public and\n   determined that they were reviewed by an ARC supervisory accountant.\n\nNo exceptions noted.\n\n\n\n\n                                             56       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 10 \xe2\x80\x93 Administrative Spending\n\nControls provide reasonable assurance that administrative spending controls are reviewed,\nreconciled, and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures related to administrative spending controls.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at various allocation levels.\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer agency and set-up in Oracle by the\nCSB. System settings are reviewed with the Customer Agency on an annual basis. Budget plans\nare input into Oracle by ARC Staff and independently reviewed.\n\nReconciliation \xe2\x80\x93 Budgetary and Proprietary Account Relationships\nARC accountants prepare budgetary to proprietary account relationship reconciliations on a\nmonthly basis, for supervisory review, to ensure complete general ledger account posting for all\nrecorded transactions. An accounting technician or an accountant corrects invalid out-of-balance\nrelationships.\n\nReconciliations \xe2\x80\x93 Fund Balance With Treasury (Activity and Balances)\nA Federal Agency\xe2\x80\x99s FBWT account assists the agency in monitoring use of budget authority.\nTreasury\xe2\x80\x99s Fiscal Service provides the following reports to inform agencies of their FBWT and to\nassist agencies in reconciling their general ledger balances to Fiscal Service balances:\n    \xe2\x80\xa2 Statement of Differences (Disbursements/Deposits) provides the net difference between\n         Fiscal Service\xe2\x80\x99s control totals and the agency\xe2\x80\x99s CARS Statements of Transactions\n         (formerly FMS 224 )submission.\n    \xe2\x80\xa2 CARS Account Statement (Transactions) provides increases and decreases to balances,\n         detailed at the submitting Agency Location Code (ALC) levels.\n    \xe2\x80\xa2 CARS Account Statement (Account Summary) provides beginning balance, current\n         month net activity and ending balance.\n\n\n\n\n                                               57       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cARC accountants reduce the probability of month-end differences relating to disbursements by\ncomparing preliminary CARS Statements of Transactions (formerly FMS 224 )disbursement\ndata to month-to-date data obtained from, PIR, CIR, , CARS TDO Payments, and IPAC systems.\nAny differences identified by the accountant are corrected by an accounting technician or another\naccountant prior to the close of the accounting period.\n\nARC accountants perform Statement of Differences reconciliations, for supervisory review, as\nwell as reconciliations of CARS Account Statement balances to general ledger FBWT balances.\nIf differences are identified during the reconciliations, ARC accountants determine the cause of\nthe difference and the action, if any, that is needed to resolve the discrepancy. If the difference\nrequires correction, an entry is posted in the accounting system by an accounting technician or\nanother accountant.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Send approved requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, IPP, webTA, and GovTrip\n    access to ensure appropriateness.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected the written procedures related to administrative spending, inspected reconciliations,\n   and observed ARC staff process transactions and determined that processing was in\n   accordance with the procedures.\n2. For a selection of Customer Agencies, inspected evidence and determined that for the year\n   they specified their budget controls, were input into Oracle by CSB staff, and were reviewed\n   by a supervisor for completeness and accuracy.\n3. For a selection of months, inspected budgetary to proprietary account relationship\n   reconciliations and determined that reconciliations were performed and that any exceptions\n   were resolved.\n4. For a selection of months for a selection of Customer Agencies, inspected evidence and\n   determined that the accountants perform reconciliations, of CARS Account Statement\n   balances to general ledger FBWT balances and supervisory review was completed.\n\n\nNo exceptions noted.\n\n\n\n\n                                              58        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 11 \xe2\x80\x93 Budget\n\nControls provide reasonable assurance that budget entries are documented and processed in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of budget entries.\n\nBudget Documentation\nFor Customer Agency appropriations subject to annual enactment, ARC enters an appropriation\nbased on the amount approved in the annual appropriations process, as supported by the\nautomatic amount calculated during a continuing resolution (CR), the enacted appropriation\nlegislation, or Treasury documentation. ARC enters an apportionment in Oracle from the\nCustomer Agency's SF 132, Apportionment and Reapportionment Schedule. Upon receipt of the\nCustomer Agency's budget plan or reprogramming guidance, ARC allocates funding to the\nCustomer Agency's accounting values according to the detail provided by the customer.\n\nFor Customer Agency sources of funds that are not subject to the annual appropriations process,\nsuch as reimbursable or revolving accounts, ARC enters an appropriation and apportionment\nbased on the Customer Agency's SF 132 and recorded reimbursable activity for those accounts\nsubject to the apportionment process. ARC allocates funding to the Customer Agency's\naccounting values based on the Customer Agency's budget plan or recorded reimbursable activity.\n\nFor sources of funds not subject to both the annual appropriations process and the apportionment\nprocess, ARC enters an appropriation and apportionment at the fund level and allocates funding\nto the Customer Agency's accounting values based on the Customer Agency's budget plan,\nrecorded reimbursable activity, or reprogramming guidance.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at various allocation levels.\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer Agency and set-up in Oracle by the\nBusiness Technology Division\xe2\x80\x99s Customer Service Branch (CSB). System settings are reviewed\nwith the Customer Agency on an annual basis. Budget plans are input into Oracle by ARC Staff\nand independently reviewed.\n\nReconciliation \xe2\x80\x93 Budgetary and Proprietary Account Relationships\nARC accountants prepare budgetary to proprietary account relationship reconciliations on a\nmonthly basis, for supervisory review, to ensure complete general ledger account posting for all\n\n                                               59       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0crecorded transactions. An accounting technician or an accountant corrects invalid out-of-balance\nrelationships.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury\nA Federal Agency\xe2\x80\x99s FBWT assists the agency in monitoring budget authority. Treasury\xe2\x80\x99s Fiscal\nService provides the following reports to inform agencies of their FBWT and to assist agencies in\nreconciling their general ledger balances to Fiscal Service balances:\n\n    \xe2\x80\xa2   CARS Account Statement (Transactions) provides increases and decreases to balances,\n        detailed at the submitting ALC levels.\n    \xe2\x80\xa2   CARS Account Statement (Account Summary) provides beginning balance, current\n        month net activity and ending balance.\n\nARC accountants perform reconciliations, for supervisory review, of CARS Account Statement\nbalances to general ledger FBWT balances.            If differences are identified during the\nreconciliations, ARC accountants determine the cause of the difference and the action, if any, that\nis needed to resolve the discrepancy. If the difference requires correction, an entry is posted in\nthe accounting system by an accounting technician, another accountant or a budget analyst.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on budget documents.\nARC has developed and implemented a standard document-numbering scheme to avoid duplicate\ndocument processing and to enable readers of ARC reports to better identify and/or determine the\nnature of transactions processed by ARC. When an ARC user attempts to enter a transaction\nidentification number that already exists, Oracle issues an error message that alerts the user of the\nduplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that budget entries are complete and\n    accurate.\n\xe2\x80\xa2   Send approved budget plans to ARC in a timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Communicate OMB apportionment status to ARC.\n\xe2\x80\xa2   Monitor usage of budget authority during periods of operation under a Continuing Resolution\n    to ensure that OMB directed apportionment limits are not exceeded.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected written procedures for budget entries and determined that they were consistent with\n   the control description.\n2. For a selection of Customer Agencies, inspected evidence and determined that for the year\n   they specified their budget controls, they were input by CSB staff, and then reviewed by a\n   supervisor for completeness and accuracy.\n\n                                               60        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c3. For a selection of months, inspected monthly general ledger account reconciliations and\n   determined that reconciliations were performed, any exceptions were resolved and the\n   recompilation was reviewed by a supervisor.\n4. For a selection of months and Customer Agencies, inspected evidence and determined that the\n   accountants performed reconciliations of CARS Account Statement balances to general\n   ledger FBWT balances and supervisory review was completed.\n5. Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n   number that had already been entered into Oracle and noted that Oracle automatically rejected\n   the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                             61       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 12 \xe2\x80\x93 Manual Journal Entries\n\nControls provide reasonable assurance that manual journal entries are authorized.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of manual journal entries.\n\nJournal Entry Approval\nA user\xe2\x80\x99s profile in Oracle determines whether or not the user can prepare and/or approve a\nmanual journal entry. Oracle system controls require that all manual journal entries be routed to\nan approver. Once a user has entered a journal entry, Oracle automatically routes the journal\nentry to an authorized approver's queue.\n\nDocument Numbering\nOracle assigns all manual journal entries a specific journal category and journal source and ARC\nfollows a standard document numbering scheme. Documentation supporting the journal entry\naccompanies each request for approval. The approver compares the documentation to Oracle and\napproves the journal entry.\n\nComplementary Customer Agency Controls\n\n\xe2\x80\xa2   Send valid and approved requests to record manual journal entries to ARC in a timely\n    manner.\n\xe2\x80\xa2   Maintain and communicate to ARC a list of individuals authorized to submit manual journal\n    entries that are initiated by the Customer Agency.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected written procedures for the processing of manual journal entries and determined that\n   procedures were documented.\n2. Inspected the list of Oracle users with the ability to create manual journal entries and\n   determined that they were assigned a supervisor in Oracle and would be subject to the\n   automated approval work flow.\n3. Inspected the list of Oracle users with the ability to approve manual journal entries and the list\n   of users with the ability to enter manual journal entries and determined that users without a\n   specified supervisor did not have the ability to enter a manual journal entry.\n4. For a selection of journal entries, inspected hardcopy supporting documentation and related\n   Oracle journal entries and determined that the manual journal entries had proper hardcopy\n   documentation and were authorized.\n5. Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n   number that had already been entered into Oracle and noted that Oracle automatically rejected\n   the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n                                               62        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cControl Objective 13 - Federal Investments\n\nControls provide reasonable assurance that Federal investments in Government Account Series\n(GAS) investments are authorized, reviewed, processed timely, reconciled, and properly\ndocumented in accordance with Customer Agency policies and procedures.\n\nDescription of Controls\n\nARC accountants process purchases of Federal investments in accordance with Customer Agency\ninstruction. Instructions include the type and amount of securities to be purchased or the amount\nof residual cash to be retained. An independent accountant reviews investment purchases.\n\nAll investment activity in GAS investments is recorded in general ledger through a daily interface\nbetween the Federal Investment System (FedInvest), a subsystem of the Government Agency\nInvestment Services System, and Oracle. Accountants reconcile investment general ledger\naccounts to the FedInvest application on a monthly basis to ensure all investment activity has\nbeen properly recorded. A supervisor reviews investment account reconciliations.\n\nTests of Operating Effectiveness and Results of Testing\n1. For a selection of Customer Agencies, inspected investment instructions and determined that\n   they were provided to ARC and defined the investment objectives for the agencies.\n2. For a selection of investment purchases, inspected evidence and determined that an\n   independent accountant reviewed the purchases.\n3. For a selection of months for a selection of Customer Agencies inspected evidence and\n   determined that the accountants reconciled investment general ledger accounts to the\n   FedInvest application in a timely manner.\n\n\nNo exceptions noted.\n\n\n\n\n                                              63       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 14 \xe2\x80\x93 Supplier and Bank Record Changes\n\nControls provide reasonable assurance that changes made to Supplier and Bank records require\nappropriate system access and the changes are reviewed, approved, and documented in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures related to Supplier and Bank record changes for staff to follow.\n\nSegregation of Duties \xe2\x80\x93 Changes to Supplier and Bank Records\nUser profiles set by Oracle system administrators, as authorized by the user\xe2\x80\x99s supervisor or\nmanager, ensure that only authorized Central Accounting Branch (CAB) employees are able to\nmake changes to Supplier and Bank records. Authorized employees who have Supplier and Bank\nrecord change privileges do not have authorization to approve vendor payments in the accounting\nsystem allowing for proper segregation of duties.\n\nChanges to Supplier and Bank records that include taxpayer identification number, address, or\nbank routing/account number require:\n\n\xe2\x80\xa2   A source document from System for Award Management (SAM) or a document supplied by a\n    vendor or customer, when SAM is not applicable, - i.e., grants and loans, payroll database,\n    and/or e-mail, etc. ), and\n\xe2\x80\xa2   Independent review.\n\nReview \xe2\x80\x93 Changes to Supplier and Bank Records\nAuthorized employees review and process changes to Supplier and Bank records and maintain the\nsupporting source documentation as described above.\n\nA reviewing employee compares changes to Supplier and Bank records from the Oracle system to\nthe change request documents and electronically signs the audit report indicating review. The\nreviewing employee does not have access to make changes to Supplier and Bank records in\nOracle. Therefore, if errors were made, the reviewing employee would provide a copy of the\nsource document to an authorized employee for correction and subsequent review.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures and determined that ARC had documented procedures for\n   Supplier and Bank record changes.\n2. Inspected a list of users with access to update, modify, or delete Supplier and Bank records\n   and determined that users had the appropriate privileges.\n3. Inspected a list of users with access to process vendor payments and determined that users\n   had the appropriate privileges.\n4. For a selection of changes to Supplier and Bank records, inspected the reviewed report signed\n   by the reviewing employee and determined that the Supplier and Bank record changes were\n   reviewed and approved.\nNo exceptions noted.\n\n\n                                             64       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cPROCUREMENT PROCESSING CONTROLS\n\nControl Objective 15 \xe2\x80\x93 Acquisitions and Contracts\n\nControls provide reasonable assurance that acquisitions are compliant with Federal laws,\nregulations and policies.\n\nDescription of Controls\n\nAll acquisitions using simplified acquisition procedures must use the Simplified Acquisition\nFolder (PD F 5477) issued by Treasury. The inside front and back folder pages represent\nchecklist items for simplified acquisition procurement actions. Each folder checklist and\nsupporting file documentation are reviewed by a warranted Contracting Officer, and subsequently\napproved when signed on the inside front page.\n\nAll commercial item and Uniform Contract Format acquisitions not using simplified acquisition\nprocedures contain a checklist of file contents completed by a Contract Specialist. Signature by\nthe Contracting Officer on the award document certifies the checklist is accurate and that file\ncontents meet legal and regulatory requirements.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected a selection of acquisition awards using simplified acquisition procedures and\n   determined that the folders were completed.\n2. Inspected a selection of other than simplified acquisitions awards using commercial item and\n   Uniform Contract Format procedures and determined that the folders contained a completed\n   checklist, signed by a contract specialist, and reviewed by a Contract Officer.\n3. Inspected the authorization levels in PRISM and determined that warranted Contracting\n   Officers have specified dollar limits.\nNo exceptions noted.\n\n\n\n\n                                             65       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 16 \xe2\x80\x93 Sufficiently Funded Requisitions\n\nControls provide reasonable assurance that contract obligations are supported by approved\nrequisitions.\n\nDescription of Controls\n\nContract officers are warranted by Treasury at specified dollar approval thresholds based on\nexperience and training. The automated contract writing system (PRISM) contains award\napproval limits for each Warranted Contracting Officer at their respective approval dollar\nthreshold prohibiting approval of awards at dollar amounts above their authorized level.\n\nPRISM contains controls to ensure procurement awards are not made without sufficient funding\nprovided by a Purchase Requisition (PR) which is tied to each procurement action in the system.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected award authorizations in PRISM and determined that Warranted Contracting\n   Officers approved awards within specified dollar limits.\n2. Inspected award authorizations in PRISM and determined that approved awards contained\n   sufficient funding on PRs in the system.\n\n\nNo exceptions noted.\n\n\n\n\n                                            66        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cGENERAL COMPUTER CONTROLS\n\nControl Objective 17 \xe2\x80\x93 System Access\n\nControls provide reasonable assurance that systems are protected from unauthorized access in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC follows Fiscal Service policies and procedures that were developed, documented,\ndisseminated, and that are periodically reviewed and updated to facilitate the implementation of\nlogical access controls. Additionally, procedures specific to Oracle, PRISM, webTA, GovTrip,\nmoveLINQ, and IPP have been documented. The logical access controls are based on Treasury\nand Fiscal Service policies and standards (Treasury Information Technology Security Program\nTDP-85-01 Volume I), which, in turn, are based on the applicable Federal laws and regulations.\nThese controls are the system-based mechanisms that are used to specify which individuals\nand/or processes are to have access to a specific system resource and the type of access that is to\nbe permitted. These controls limit user access to information and restrict their system access to\ntheir designated level.\n\nOracle\nAccess to Oracle is restricted to users with a valid logon ID and password. Oracle\nlogons/sessions are encrypted to protect the information, making it unintelligible to all but the\nintended users. Sessions are protected using 128-bit Secure Sockets Layer (SSL) encryption.\nProspective Oracle users must complete, sign and submit an approved Administrative Resource\nCenter System Access Form for End User Applications to request access to Oracle. The end\nuser\xe2\x80\x99s signature indicates that they are familiar with the Privacy Act information and security\nrequirements and will comply with computer security requirements established by Fiscal Service\nand ARC. The form defines the user\xe2\x80\x99s access specifications, which will allow the user to perform\nhis/her duties in Oracle. Changes to existing user profiles require an e-mail to be sent to the\nOracle Support Team mailbox by an authorized individual requesting the change, and defining\nwhat access should be added/deleted/changed. In order to remove a user\xe2\x80\x99s access, Customer\nAgencies submit a request for account termination. At that time, the Oracle user access is end-\ndated in the system to remove their access. Additionally, each day the Oracle Support Team\ngenerates and reviews a list of Oracle user accounts that have been inactive for 80 days. An e-\nmail is sent to the user warning them that their account will be end-dated if they maintain an\ninactive status for 90 days. After 90 days of inactivity, the user\xe2\x80\x99s access will be end-dated.\nAnnually, the ARC sends out a list of system users to each Customer Agency for review. The\nOracle Support Team updates the permissions for users based on the responses received from the\nCustomer Agencies.\n\nOracle 11 uses a multi-org functionality to strengthen security within the application. Each\nCustomer Agency is configured as an operating unit in Oracle. When a new responsibility is\ncreated by the Application Administrators, it is mapped to a specific operating unit by a system\nprofile option. The multi-org functionality helps ensure that a user assigned to a responsibility\n(which in turn is mapped to an operating unit) can only see or enter data for that customer (or\noperating unit). Oracle also provides a value set security feature, assigned to a responsibility,\nwhich further controls new data entry in the operating unit by limiting the list of values (LOV) for\nthe accounting flexfield to those values specific to the customer (or operating unit).\n\nWith Oracle R12, responsibilities are assigned to specific Multi-Org Access Control (MOAC)\ngroups, in which case, the MOAC group determines which data can be accessed by users. Data\n\n                                               67       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0centry is also restricted, allowing only values within the MOAC group to be selected for\ntransaction processing. A MOAC group can be comprised of one operating unit (ledger) or\nmultiple ones.\n\n\nOnly the SYSADMIN account controlled by Oracle On Demand are assigned the System\nAdministrator responsibility in the Oracle application. CSB and QCB staff are assigned ARC\nApplication Administrator responsibility in the Oracle application. The employees with the ARC\nApplication Administrator responsibility have limited access to perform operational functions in\nOracle, specifically limited to the month-end closing, during customer conversions (as directed by\nthe functional teams) or emergency situations that can be approved by a supervisor or manager\nafter the fact. Additionally, the individuals with Oracle ARC Application Administrator\nprivileges perform multiple functions, including that of the Oracle Support team members. As a\nresult, these individuals periodically require temporary access privileges of a functional user in\norder to address user inquiries. An edit check prevents an Oracle ARC Application Administrator\nfrom adding or removing any responsibilities from their own user ID.\n\nThe CSB/QCB/Project and Technical Services Branch (PTSB) managers can be assigned the\nARC Application Administrator responsibility in situations where the manager deems the access\nis required. This responsibility is granted on a temporary basis with the proper request and\napproval and will be end-dated once the access is no longer necessary.\n\nAdministrative access to the underlying Oracle servers and databases is limited to Oracle on\nDemand server and database administrators.\n\nUser Identifications (IDs) are assigned to Fiscal Service employees consistent with their network\nlogon ID. User IDs for Customer Agency staff are assigned by an ARC system administrator. A\ntemporary password is assigned to all users by calling the Oracle Support Team. Oracle Support\nTeam personnel are responsible for verifying the caller\xe2\x80\x99s identity. Once the user logs onto the\naccounting system, they must establish their own unique password. An Oracle user\xe2\x80\x99s password\nmust meet unique password configuration, password complexity and password expiration criteria\nto ensure strong password security.\n\nOracle access attempt logs are reviewed daily by the PRISM Support Team to identify if users\nattempted to unsuccessfully access the system five or more times in the day. When five or more\nunsuccessful access attempts were made, an e-mail is sent to the user indicating that the access\nattempts were noted and requesting that the user notify ARC if the attempts were not made by the\nuser.\n\nPRISM\nAccess to PRISM is restricted to users with a valid logon ID and password. PRISM\nlogons/sessions are encrypted to protect the information, making it unintelligible to all but the\nintended users. Sessions are protected using 128-bit SSL encryption. Prospective PRISM users\nmust complete, sign, and submit an approved Administrative Resource Center System Access\nForm for End User Applications to request access to PRISM. The end user\xe2\x80\x99s signature indicates\nthat they are familiar with the Privacy Act information and security requirements and will comply\nwith computer security requirements established by Fiscal Service and ARC. The form defines\nthe user\xe2\x80\x99s access specifications, which will allow the user to perform his/her duties in PRISM.\nChanges to existing user profiles require an e-mail to be sent to the PRISM Support Team\nmailbox by an authorized individual at the Customer Agency, requesting the change, and defining\nwhat access should be added/deleted/changed. In order to remove a user\xe2\x80\x99s access, Customer\nAgencies submit a request for account termination. At that time, the PRISM user access is end-\n\n                                              68       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cdated in the system to remove their access. Additionally, each day the Oracle Support Team\ngenerates and reviews a list of PRISM user accounts that have been inactive for 80 days. An e-\nmail is sent to the user warning them that their account will be end-dated if they maintain an\ninactive status for 90 days. After 90 days of inactivity, the user\xe2\x80\x99s account will be end-dated.\nAnnually, the ARC sends out a list of users to each Customer Agency for review. Included for\nreview are requisitioner and buyer approval limits by user. The PRISM Support Team updates\nthe access according to the responses received from the Customer Agencies.\n\nUser access within PRISM is further limited by only allowing users to approve the addition or\nmodification of records to the operating units they have been assigned in Oracle. PRISM utilizes\nthe existing security features and functionality of Oracle. For example, new users are setup in\nOracle and assigned appropriate PRISM responsibilities. Within Oracle, the responsibilities are\nmapped to PRISM security groups. The user and security groups then flow to PRISM. Within\nthe PRISM application, users are assigned additional responsibilities as authorized on the access\nform.\n\nUpdates to a user\xe2\x80\x99s PRISM responsibilities are audited by independent employees within CSB.\nThe changes to functional access privileges are reviewed and compared to the changes to the\nBTD\xe2\x80\x99s Team Responsibilities matrix to determine whether or not the access privileges are\nappropriate. Follow up is performed to validate the addition of any privileges that are not on the\nBTD\xe2\x80\x99s Team Responsibilities matrix.\n\nThe System Administrator responsibility in PRISM is limited to certain employees requiring the\naccess for the performance of job duties. Administrative access to the underlying PRISM servers\nand databases is limited to Oracle on Demand server and database administrators and specific\nBTD employees.\n\nUser IDs are assigned to Fiscal Service employees consistent with their network logon ID. User\nIDs for Customer Agency staff who utilize PRISM are assigned by an ARC system administrator.\nA temporary password is assigned to all users by calling the PRISM Support Team. PRISM\nSupport Team personnel are responsible for verifying the caller\xe2\x80\x99s identity prior to establishing the\nuser\xe2\x80\x99s password. Once the user logs onto the system, they must establish their own unique\npassword. A user\xe2\x80\x99s password must meet unique password configuration, password complexity\nand password expiration criteria to ensure strong password security.\n\nPRISM access attempt logs are reviewed daily by the Oracle Support Team to identify if users\nattempted to unsuccessfully access the system five or more times in the day. When five or more\nunsuccessful access attempts were made, an e-mail is sent to the user indicating that the access\nattempts were noted and requesting that the user notify ARC if the attempts were not made by the\nuser.\n\nwebTA1\nAccess to webTA is restricted to users with a valid logon ID and password. Access to webTA is\nprovided using 128-bit SSL encryption. All personnel require access to webTA in order to\ncomplete time and attendance submission. Users granted standard employee access privileges are\nnot required to submit an access form. However, users that require elevated access privileges\n(e.g., timekeeper, supervisor) are added to the webTA system following receipt of a supervisor-\napproved Administrative Resource Center System Access Form for End User Applications. The\nend user\xe2\x80\x99s signature indicates they are familiar with the Privacy Act information and security\n\n1\n    The scope of the description of webTA controls applies only to full service webTA customers.\n\n                                                    69        Control Objectives, Related Controls, and\n                                                                       Tests of Operating Effectiveness\n\x0crequirements and will comply with computer security rules. The form defines the user\xe2\x80\x99s access\nspecifications, which will allow the user to perform his/her duties in webTA. Changes to existing\nuser profiles require a new access form to be submitted by the Customer Agency. Upon receipt\nof an Administrative Resource Center System Access Form for End User Applications requesting\nthe deletion of a webTA user or upon receipt of a timesheet coded as \xe2\x80\x9cFinal,\xe2\x80\x9d an HR\nAdministrator in PLSB removes the assigned responsibilities. Annually, an HR Administrator\nsends out a list of timekeepers and supervisors to each Customer Agency for the agency to use in\nperforming a periodic review of access. The list is limited to those timekeepers and supervisors\nwho are not currently responsible for validating or approving time for an active employee at the\nCustomer Agency. The review ensures that these employees who do not currently validate or\napprove time on a regular basis still require their role as a timekeeper or supervisor.\n\nUser access within webTA is further limited by the role the user is assigned in the system (i.e.,\nEmployee, Timekeeper, Supervisor, etc.). The System Administrator and HR Administrator roles\nin webTA are limited to certain employees, ensuring no one serves in both administrator roles.\nPeriodically, there is a need for the System Administrator to research a problem in a production\ninstance using an HR Role. When such an event arises, the System Administrator can be\ntemporarily granted HR specific roles with supervisor approval. Administrative access to the\nunderlying webTA servers and databases is limited to server and database administrators within\nthe ISS.\n\nAn HR Administrator assigns user IDs to Fiscal Service employees consistent with their network\nlogon ID. User IDs for Customer Agency staff who utilize webTA as timekeepers or supervisors\nare also assigned by an HR Administrator. An HR Administrator also assigns a temporary\npassword to users by an e-mail. Once the user logs onto the system, they must establish their own\nunique password. A user\xe2\x80\x99s password must meet unique password configuration, password\ncomplexity and password expiration criteria to ensure strong password security.\n\nGovTrip\nAccess to GovTrip is restricted to users with a valid logon ID and password. All users must\ncomplete the self-registration process. An account token will be forwarded to the user by the TSD\nhelpdesk after the self-registration information is verified for the user to activate their account.\nBudget Reviewers and Approving Officials must complete, sign, and submit an approved\nAdministrative Resource Center Online Applications Access Request or have an approving\nofficial or agency travel contact authorize access via e-mail. The end user\xe2\x80\x99s signature indicates\nthey are familiar with the Privacy Act information, security requirements, and will comply with\ncomputer security requirements established by Fiscal Service and ARC. The form defines the\nuser\xe2\x80\x99s access specifications, which will allow the user to perform his/her duties in GovTrip.\nChanges to a user\xe2\x80\x99s identification (i.e., name change) or to the user\xe2\x80\x99s role in GovTrip require an\nAdministrative Resource Center Online Applications Access Request to be resubmitted or an e-\nmail from the user copying his/her approving official or agency travel contact. Upon receipt of\nan Exit Clearance form or e-mail request, GovTrip access is set to indicate that the user has\nterminated. On an annual basis, TSD staff creates reports of GovTrip users and distributes the\nreports to Customer Agency Travel contacts for review and verification of the accounts.\n\nGovTrip has user access levels that separate permissions from highest to lowest into these\ncategories:\n    \xe2\x80\xa2 System administrators (NGMS only)\n    \xe2\x80\xa2 Application administrators; Designated TDSB staff\n    \xe2\x80\xa2 Application administrators; Customer Service Help Desk Tier 2, Designated TDSB staff\n    \xe2\x80\xa2 Customer Service Help Desk Tier 1, Designated TDSB Staff\n    \xe2\x80\xa2 Approving Officials and Budget Reviewers\n\n                                               70       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c    \xe2\x80\xa2   User; Traveler and Document Preparer\n    \xe2\x80\xa2   Terminated Users; Invitational Travelers\n\nAccess privileges are granted in accordance with the concept of least privilege required.\n\nUsers must establish their own unique GovTrip password. A user\xe2\x80\x99s password must meet unique\npassword configuration, password complexity, and password expiration criteria to ensure strong\npassword security.\n\nmoveLINQ\nAccess to moveLINQ is restricted to authorized TSD users with a valid logon ID and password.\nThe process for requesting, establishing, issuing, and closing user accounts is controlled through\nthe use of the moveLINQ Online Application Access Request Form which requires\nlead/supervisor approval. The form defines the user\xe2\x80\x99s access specifications, which will allow the\nuser to perform his/her duties in moveLINQ. Changes to a user\xe2\x80\x99s identification (i.e., name\nchange) or to the user\xe2\x80\x99s role in moveLINQ also require a moveLINQ Online Application Access\nRequest Form. The user access list is reviewed by management every time a change is made or\nsix months from the last review, whichever is longer.\n\nUser IDs are assigned to authorized TSD employees consistent with their network logon ID. A\ntemporary password is assigned to moveLINQ users in person or by phone. Once the user logs\nonto moveLINQ, they must establish their own unique password which is encrypted. A user\xe2\x80\x99s\npassword must meet unique password configuration, password complexity and password\nexpiration criteria to ensure strong password security.\n\nmoveLINQ has user access roles that separate permissions from highest to lowest into these\ncategories:\n    \xe2\x80\xa2 Admin\n    \xe2\x80\xa2 HHS_Reviewer\n    \xe2\x80\xa2 MGMT1\n    \xe2\x80\xa2 MGMT2\n    \xe2\x80\xa2 RC\n    \xe2\x80\xa2 RC_HHS_Reviewer\n    \xe2\x80\xa2 SAS_Accting\n    \xe2\x80\xa2 STEP\n    \xe2\x80\xa2 Tax_Prep\n    \xe2\x80\xa2 Tech\n    \xe2\x80\xa2 Viewer\n    \xe2\x80\xa2 VIP Reviewer\n\nAccess privileges are granted in accordance with the concept of least privilege required.\n\nSee Control Objective 19 for further discussion of the physical access control process.\n\nInvoice Processing Platform (IPP)\nAccess to IPP is restricted to users with a valid logon ID and password. Internal and external\nusers must complete, sign, and submit an approved Administrative Resource Center Online\nApplications Access Request form. Customer users must submit a Certificate of Completion for\nthe On-line Invoice Approver Training located on their ARC customer webpage, unless they are\non the list of attendees that completed the training given during their customer conversion to IPP.\nThe end user\xe2\x80\x99s signature indicates they are familiar with the Privacy Act information, security\nrequirements, and will comply with computer security requirements established by Fiscal Service\n                                              71        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cand ARC. The form defines the user\xe2\x80\x99s access specifications, which will allow the user to perform\nhis/her duties in IPP. The user will receive an e-mail with a user id and one containing a\ntemporary password from the Treasury UPS User Administration. Annually, FRB Boston sends a\nlist of all IPP users in the Fiscal Service Admin Disburser Account for recertification. ARC\nreaches out to the customer agency IPP contact and returns the results to FRB Boston.\n\nThe IPP Fiscal Service Admin Disburser Account has user access levels that separate permissions\ninto these categories from highest to lowest:\n\n    \xe2\x80\xa2   Administrator\n    \xe2\x80\xa2   Invoice Approver\n    \xe2\x80\xa2   Processor\n    \xe2\x80\xa2   Viewer\n\nAccess is in accordance with the concept of least privilege required.\n\nUsers must establish their own unique IPP password. A user\xe2\x80\x99s password must meet unique\npassword configuration, password complexity and password expiration criteria to ensure strong\npassword security that follow the configuration requirements established by Fiscal Service\nTreasury Web Applications Infrastructure (TWAI).\n\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, IPP, webTA, and GovTrip\n    access to ensure appropriateness.\n\xe2\x80\xa2   Ensure exiting employee timecards are coded \xe2\x80\x9cFinal\xe2\x80\x9d as this will help ensure that HR staff\n    deactivate the employee\xe2\x80\x99s webTA access.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n1. Inspected the Treasury Information Technology Security Program TDP-85-01 Volumes I and\n   II and determined that security policies and procedures were documented.\n2. Inspected Oracle user account management procedures and password procedures and\n   determined that the security policies and procedures are documented for Oracle.\n3. Inspected PRISM user account management procedures and password procedures and\n   determined that security policies and procedures are documented for PRISM.\n4. Inspected webTA user account management procedures and password procedures and\n   determined that security policies and procedures are documented.\n5. Inspected GovTrip user account management procedures and password procedures and\n   determined that security policies and procedures are documented for GovTrip.\n6. Inspected MoveLINQ user account management procedures and password procedures and\n   determined that security policies and procedures are documented for MoveLINQ.\n7. Inspected IPP user account management procedures and password procedures and determined\n   whether security policies and procedures were documented.\n\n                                               72       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c8. Observed a logon session and noted that the Oracle users require a valid login ID and\n   password and that logins/sessions are encrypted with 128-bit SSL encryption.\n9. For a selection of new Oracle users, inspected user access request forms and determined that\n   the forms are completed, access was authorized, and contained employees\xe2\x80\x99 signature to\n   denote that they understand the privacy act requirements.\n10. For a selection of changes to Oracle user profiles, inspected authorizing documentation and\n    determined that updates to access rights were authorized.\n11. Inspected a selection of requests for termination of Customer Agencies employees\xe2\x80\x99 Oracle\n    access and evidence of when the account was end dated in the Oracle system and determined\n    that requests for termination of access from customer agencies are competed in a timely\n    manner.\n12. For a selection of Customer Agencies, inspected evidence of the annual Oracle user access\n    review and determined that the annual reviews are performed.\n13. Inspected the list of user accounts and corresponding access within Oracle and determined\n    that that each user\xe2\x80\x99s access is restricted to distinct operating units or Customer Agencies.\n14. Inspected the user roles assigned to the Oracle Application administrators and compared them\n    to the BTD Allowable Responsibilities Table, and determined that the functional user\n    permissions were restricted and commensurate with job responsibilities.\n15. Observed an Oracle System Administrator attempting to add responsibilities to their user ID,\n    and noted that system administrators could not add responsibilities to their user IDs.\n16. For a selection of users that were granted temporary Admin Access, inspected documentation\n    authorizing use of the temporary Admin Access and determined that the temporary Admin\n    Access was documented, approved, and revoked when no longer needed.\n17. Inspected the access control lists for Oracle and determined that Application Administrator\n    privileges were commensurate with job responsibilities.\n18. Inspected the Oracle user list and determined that the accounts follow the naming convention.\n19. Inspected Oracle profile options and determined that the Oracle accounts are configured to be\n    locked-out after 30 minutes of inactivity.\n20. Inspected Oracle profile options, and determined that failed logins, password complexity,\n    generation, and length requirements are configured in accordance with ARC password\n    standards.\n21. Inspected Oracle profile options for system administrators and users, and determined that\n    password lifespan days established for system administrators and users were configured in\n    accordance with ARC password standards.\n22. For a selection of dates, inspected Oracle violation logs and evidence of review and\n    determined that violations logs are reviewed.\n            \xe2\x80\xa2   Exceptions Noted: The Oracle Invalid Login Report was not reviewed or\n                produced for 5 of the 13 days selected.\n                Remediation: Inspected updated procedures for reviewing the Oracle Invalid\n                Login Reports and determined they were documented. For a selection of dates,\n                inspected Oracle violation logs and determined that violations logs were\n                reviewed.\n23. Observed a logon session and noted that user ID and Password are required and that PRISM\n    logins/sessions are encrypted with 128-bit SSL encryption\n\n                                             73        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c24. For a selection of new PRISM users, inspected user access request forms and determined that\n    the forms are completed and access was authorized.\n25. For a selection of changes to PRISM user accounts, inspected authorizing documentation and\n    determined that updates to the accounts were authorized.\n26. Inspected a list of separated employees and a list of PRISM users and determined that\n    separated employees did not retain access to the PRISM.\n27. For a selection of days, inspected the inactive reviews and determined that the reviews are\n    performed on a daily basis.\n           \xe2\x80\xa2   Exceptions Noted: The Oracle Duties Inactivity Report was not reviewed or\n               produced for 1 of the 13 days selected.\n           \xe2\x80\xa2   Remediation: Inspected updated procedures for reviewing Oracle Duties\n               Inactivity Report and determined they were documented. For a selection of\n               dates, inspected Oracle Inactivity reports and determined that inactivity reports\n               were reviewed.\n28. Inspected evidence of distribution of PRISM user lists for review and determined that that\n    user account lists are distributed on an annual basis for review.\n29. Observed the production PRISM system for a user and noted that the system can be\n    configured as defined in the control and in the New User Setup document.\n30. There were no changes to functional user access requests processed during the period for\n    PRISM.\n31. Inspected the access control lists for PRISM and determined that Application Administrator\n    privileges were commensurate with job responsibilities.\n32. Inspected the PRISM user list and determined that accounts appeared to follow the naming\n    convention, using first initial and second initial if necessary and a last name.\n33. Observed the PRISM Support Team member creating a new account in the PRISM system\n    and noted that upon first login the user was immediately directed to reset their password.\n34. Inspected PRISM password settings and determined that failed logins, password complexity,\n    aging, generation, and length requirements are configured in accordance with ARC password\n    standards.\n35. Inspected PRISM configuration settings and determined that the PRISM sessions are\n    configured to time-out if they remained inactive for 20 minutes.\n36. For a selection of dates, inspected PRISM violation logs and evidence of review and\n    determined that violations logs are reviewed.\n           \xe2\x80\xa2   Exceptions Noted: The PRISM Invalid Login Report was not reviewed or\n               produced for 2 of the 13 days selected.\n           \xe2\x80\xa2   Remediation: Inspected updated procedures for reviewing the PRISM Invalid\n               Login Reports, and determined that they were documented. For a selection of\n               dates, inspected PRISM violation logs determined that violations logs and reports\n               were reviewed.\n37. Observed a logon session and noted that webTA logins/sessions required user name and\n    password.\n38. Observed a user log into webTA and noted that connections to webTA are encrypted utilizing\n    128-bit SSL encryption.\n\n                                            74        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c39. For a selection of new and modified webTA users with elevated privileges, inspected user\n    access request forms and determined that the forms are completed and access is authorized.\n40. Inspected a list of separated employees and a list of webTA users and determined that no\n    separated employees retained access to the webTA application following termination.\n41. For a selection of Customer Agencies, inspected evidence of distribution of a list of webTA\n    supervisors and timekeepers for annual user account review by the customer agency and\n    determined that annual reviews of access are completed.\n42. Inspected the Fiscal Service user privileges within webTA and determined that users are\n    assigned in a role based security configuration.\n43. Inspected the Fiscal Service user privileges within webTA and determined that users assigned\n    HR Administrator did not have Administrator Access.\n44. Inspected the webTA user privileges for a selection of customer agencies and determined that\n    users are assigned in a role based security configuration, and users assigned HR\n    Administrator did not have Administrator Access.\n45. Inspected the webTA user privileges for a selection of customer agencies, the Fiscal Service\n    group and the Fiscal Service employee list and determined that users with Administrator\n    access were restricted to employees in the BTD group.\n46. Observed webTA for an initial login and noted that the user is required to create a new\n    password at first login.\n47. Inspected webTA password settings and determined that failed logins, password complexity,\n    aging, generation, and length requirements are configured in accordance with ARC password\n    standards.\n48. Inspected webTA configuration settings and determined that webTA sessions are configured\n    to time-out if they remained inactive for 10 minutes.\n49. Observed a user access the GovTrip system and noted that a user is required to be\n    authenticated prior to accessing the system.\n50. For a selection of new GovTrip users, inspected confirmation e-mails and determined that the\n    user accounts were authorized.\n51. For a selection of changes to GovTrip users, inspected authorizing documentation and\n    determined that access changes are documented and access is authorized.\n52. Inspected a list of separated employees and a list of GovTrip users, and determined that the\n    separated employees did not retain access to the GovTrip application.\n53. Inspected evidence of distribution of GovTrip user lists for review and determined that user\n    account lists are distributed on an annual basis for review.\n54. Inspected the user privileges with GovTrip and determined that users are assigned in a role\n    based security configuration from highest to lowest.\n55. Observed a user attempting to change their password to an invalid setting and noted that the\n    system automatically prevented the use of password that did not conform to the requirements.\n56. Observed a moveLINQ user login to the web based system and noted that they are required to\n    enter a user id and password.\n57. Inspected a selection of reviewed moveLINQ user access lists and determined that the review\n    of access was performed.\n\n\n\n                                             75       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c58. Inspected documentation for a selection of added moveLINQ users and determined that the\n    requests are documented and approved.\n59. Inspected a selection of moveLINQ modification requests and determined that the requests\n    are documented and approved.\n60. Inspected a selection of moveLINQ termination requests and determined that the removal of\n    access is documented and performed.\n61. Inspected the list of ARC separations and the active list of movLINQ accounts and\n    determined there are no accounts of terminated employees on the system.\n62. Inspected the current moveLINQ user list and determined that accounts are assigned with\n    network IDs.\n63. Observed and noted that a moveLINQ user must reset their password upon initial login.\n64. Observed a moveLINQ user attempt to change their password to non-compliant passwords to\n    test length and complexity requirements and noted that the system prevented the changes.\n65. Observed a moveLINQ user enter the incorrect password three times and noted that the\n    system locked the user account.\n66. Inspected the user privileges with moveLINQ and determined that users are assigned in a role\n    based security configuration from highest to lowest.\n67. Observed an IPP user login to the system and noted that they are required to enter a user id\n    and password.\n68. Inspected the annual IPP account recertification supporting documentation and determined\n    that ARC contacted Customer Agencies and the results were returned to FRB Boston.\n69. Inspected documentation for a selection of added IPP users and determined that the requests\n    were documented and approved.\n70. Inspected the list of ARC separations and the active list of IPP accounts and determined there\n    were no accounts of terminated employees on the system.\n71. Inspected the user privileges with IPP and determined that users were assigned in a role based\n    security configuration from highest to lowest.\n\n\nNo exceptions noted, except as described above.\n\n\n\n\n                                              76       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 18 \xe2\x80\x93 System Changes\n\nControls provide reasonable assurance that system software and application changes are tested,\napproved, and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for testing, approving, and documenting changes. ARC System\nAdministrators are facilitators of the formal change management process via My Oracle Support,\nOracle on Demand\xe2\x80\x99s web-based service request system.\n\nOracle and PRISM\nFor Oracle and PRISM, ARC uses iET /My Oracle Support to document key steps for each\nchange: including the initial request, approval, and implementation into production.\n\nARC processes standard software releases (i.e., patches) for both Oracle and PRISM.\nAdditionally, ARC processes customized application extension changes to Oracle. The ability to\nprocess and apply Oracle and PRISM changes is restricted to the database administrators under\nthe coordination of Oracle on Demand.\n\nARC Application Administrators, as designees of the system owner, serve as the primary\ninitiators of change requests. The following is indicated in the request: all the affected parties, a\ndescription of the change, the applicable instance, and the requested date of the change. PTSB\nstaff develops customizations in separate development instances. QCB staff test changes by\nrunning test scripts and analyzing the results. Upon successful completion of testing, QCB staff\napproves the change request and forward it to the performer of the change, Oracle on Demand\ndatabase administrators. After the approved request has been completed, the performer updates\nthe request in iET /My Oracle Support accordingly, and the request is then closed.\n\nFor emergency changes to a production instance of Oracle or PRISM, ARC requires verbal\napproval from a designated on-call manager (for all production instances). ARC Application\nAdministrators document the emergency change in iET /My Oracle Support on the next business\nday.\n\nwebTA\nARC has a webTA maintenance agreement in place with immixTechnology, a vendor for Kronos\xe2\x80\x99\nwebTA product.\n\nFor webTA, ARC applies standard software releases (i.e., patches) only. Unlike Oracle, webTA\ndoes not have application extensions that are customizable by ARC.\n\nWhen a new webTA release is received from Kronos (the developer of webTA), QCB staff test\nthe new release in a separate test instance by running test scripts and analyzing the results. Upon\nsuccessful completion of customer acceptance testing, the QCB staff forward a request for\napplying the new webTA release to production to the appropriate parties for approval. The ability\nto apply webTA releases is restricted to the database administrators under the coordination of\nISS. The new webTA release is not applied to production until it has been successfully tested and\napproved.\n\n\n\n\n                                               77        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cGovTrip\nGovTrip is hosted and maintained by NGMS at their facility. NGMS informs TSD of scheduled\nupdated system releases and the changes contained therein. System changes are also initiated by\nTSD Analysts who make enhancement requests to NGMS for changes to be included by NGMS\nin future scheduled release updates. TSD analysts test all applicable GovTrip changes in a\nGovTrip acceptance test environment. If any of the changes included in a scheduled GovTrip\nrelease update fail TSD\xe2\x80\x99s acceptance testing, NGMS may delay implementation of the release\nupdate. TSD has documented procedures for testing GovTrip changes. Guidance is provided to\ncustomer contacts on any changes.\n\nmoveLINQ\nmoveLINQ is hosted by ISS and maintained at Fiscal Service. mLINQS informs the RSB\nManager and moveLINQ System Administrators of scheduled updated system releases and the\nchanges contained therein.      System changes are also initiated by moveLINQ System\nAdministrators who make enhancement requests to mLINQS for changes to be included by\nmLINQS in future scheduled release updates. moveLINQ System Administrators and users test\nall moveLINQ changes in moveLINQ test environments. If any of the changes included in a\nscheduled moveLINQ release update fail the testing, RSB may delay implementation of the\nupdate until the release passes the testing. RSB has documented procedures for testing and\nimplementing moveLINQ changes. RSB uses the Fiscal Service\xe2\x80\x99s iET to track changes to the\nsystem.\n\nInvoice Processing Platform (IPP)\nIPP is a web-based system hosted by the Federal Reserve Bank of Boston (FRBB). FRBB\nnotifies all primary agency users in advance of any new IPP release and holds review/preview\nmeetings to discuss all known changes as well as potential changes for the next release. During\nthe \xe2\x80\x9cpreview\xe2\x80\x9d section of the meeting, agencies can rank the proposed changes for the next\nrelease. In addition, FRBB publishes testing schedules and provides the agencies an opportunity\nto test the changes in a QA environment prior to deploying the code into IPP Production.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures and determined that ARC had documented procedures for\n   testing, approving, and documenting changes.\n2. Observed iET and noted that the system was designed to retain the necessary change\n   management documentation and noted when a change to iET is made.\n3. Inspected a selection of changes processed in the iET/My Oracle Support and determined that\n   the changes were tested and approved prior to implementation to the production environment.\n4. Inspected the OOD contract and determined that changes to Oracle and PRISM are\n   coordinated with OOD database administrators.\n5. Inspected the maintenance agreement and determined that the agreement contained system\n   upgrade and maintenance provisions.\n6. Inquired of management about the emergency change process, inspected iET and determined\n   that there were no emergency changes processed for Oracle and PRISM.\n7. Inspected the webTA system maintenance agreement and determined that it contained system\n   maintenance provisions and that it was current.\n8. Inquired of management about the upgrade and emergency change process for webTA,\n   inspected iET and determined that there were no upgrades or emergency changes processed\n   for webTA.\n                                            78        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c9. Inspected the GovTrip system maintenance agreement and determined that it contained\n   system maintenance provisions and that it was current.\n10. For a selection of GovTrip changes, inspected documentation of testing and determined that\n    changes were tested prior to implementation in production.\n11. Inspected written procedures and determined that testing GovTrip changes were completed in\n    accordance with ARC procedures.\n12. Inspected the moveLINQ system maintenance agreement and determined that it contained\n    system maintenance provisions and that it was current.\n13. For a selection of moveLINQ changes, inspected documentation of testing and determined\n    that changes were tested prior to implementation in production.\n14. Inspected written procedures for testing moveLINQ changes and determined that change\n    procedures were formally documented.\n15. Observed iET and noted that the system was designed to retain the necessary change\n    management documentation and noted when a change to iET was made.\n\n\nNo exceptions noted.\n\n\n\n\n                                            79       Control Objectives, Related Controls, and\n                                                              Tests of Operating Effectiveness\n\x0cControl Objective 19 \xe2\x80\x93 Non-interruptive System Service\n\nControls provide reasonable assurance that interruptions due to operational failures are\nappropriately limited.\n\nDescription of Controls\n\nFiscal Service has documented policies and procedures for controlling physical access to Fiscal\nService buildings and to the data center. These include:\n    \xe2\x80\xa2   Identification of sensitive/critical areas to which access needs to be restricted.\n    \xe2\x80\xa2   Physical access controls designed to detect unauthorized access.\n    \xe2\x80\xa2   Procedures for log reviews and investigation of violations.\nThe Security Branch issues employee badges, after performing security background checks and\nfingerprinting.\nEmployees are required to have badges available at all times upon request.\nTerminated employees are required to surrender identification badges and are removed from the\nPhysical Access Control System (PACS) immediately.\nThe webTA, and moveLINQ servers reside in ISS\xe2\x80\x99s data center. Physical access to the ISS Data\nCenter is restricted to authorized users only. An employee needing access to the data center must\nhave his/her Branch Manager request access. The requests are made through iET, a workflow\nsystem that is used to approve data center access. After the Branch Manager completes and\nsubmits the iET request form, requests are forwarded to ISS's data center managers for approval\nin the iET. If ISS approves the request, the Fiscal Service Division of Security and Emergency\nPrograms (DSEP) Security Branch grants access via PACS. Only designated DSEP specialists\nhave access to PACS. Access to all sensitive areas requires use of a badge. The use of a badge\nprovides an audit trail that is reviewed by ISS management monthly for potential access\nviolations. Any unauthorized access attempts are followed-up on by contacting the individual\xe2\x80\x99s\nsupervisor.\n\nIndividuals without badge access to the data center must be escorted to the command center and\nare required to sign in/out of a Visitor log to be issued a data center visitor badge. Visitor badges\ndo not have access to the data center, but rather designate the individual as a visitor. This log is\nmaintained at the main entrance to the data center.\n\nVendors that are authorized to have a badge are issued a one-day badge and must leave their\naccess badge onsite following completion of work in the data center. A log of One-Day badges is\nmaintained and reviewed daily.\n\nISS performs a monthly review and reconciliation of individuals with data center access to\nindividuals authorized to have data center access. Additionally, ISS performs an annual review\nand recertification of individuals with access to the data center. If an individual is found to have\nunauthorized data center access, ISS will, based on the individual\xe2\x80\x99s need for access, make a\ndecision whether to request that DSEP remove their data center access or whether to provide\nauthorization for their access.\n\nFrom Fiscal Service\xe2\x80\x99s location, web sites, FTP servers, web servers, and aspects of intrusion\ndetection are monitored every ten minutes with a combination of software monitoring tools. The\navailability of network infrastructure, such as switches and firewalls are monitored with a\ncombination of software monitoring tools. ISS's data center is physically monitored by\n\n                                                80        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cenvironmental monitoring software that provides continuous checking and alarming capabilities\nfor temperature changes, water, and humidity threats. Fire detection and suppression systems are\ninstalled in the data center. Redundant battery-powered uninterruptible power supplies and a\nbackup generator protect the data center from an unplanned loss of power. Redundant air\nconditioning systems protect data center computers from overheating in the event of air\nconditioning equipment failure.      ISS provides operations, support, capacity planning,\nperformance monitoring, networking, security monitoring, development, change management,\nback up, hardware acquisitions and maintenance, and installation support for ARC.\n\nOracle\nSystem operations manuals are provided to each employee assigned system maintenance\nresponsibilities. The Oracle Support Team, within CSB, is available for users to call if they are\nexperiencing difficulties with the system. In addition, Oracle support personnel have access to\ninternal application setup and security documentation, as well as various manuals and\ndocumentation produced by the Oracle Corporation.\n\nPRISM\nPRISM user manuals are provided to end users. The PRISM Support Team within CSB, is\navailable for end users to call if they are experiencing difficulties with the system, and PRISM\napplication administrators have access to internal application setup and security documentation,\nas well as various manuals and documentation produced by Compusearch.\n\nwebTA\nwebTA support personnel have access to online documentation produced by Kronos. The Human\nResources Support Desk is available for users to call if they are experiencing difficulties with the\nsystem. QCB acts as a liaison between the Human Resources Support Desk and ISS to resolve\nsystem issues.\n\nISS performs differential backups of the production system nightly and performs a full tape\nbackup weekly. The monthly backup tapes are sent to a long-term offsite facility.\n\nSee Control Objective 20 for further discussion of the backup process.\n\nGovTrip\nARC TSD staff investigates and attempts to resolve any system issues noticed by the ARC staff\nor reported to TSD by GovTrip users. When possible, TSD staff resolves GovTrip issues. If\nTSD staff cannot resolve an issue, the issue is escalated to NGMS. TSD notifies system users of\nthe length of the expected outage or malfunction and notifies them again when the issue is\nresolved.\n\nmoveLINQ\nARC purchases new license agreements annually from mLINQS, which include all upgrades and\nservice packs, monthly per diem rates, Federal travel regulation updates, and unlimited technical\nsupport.\n\nmoveLINQ System Administrators investigate any system issues noticed by the ISS Database\nAdministrators or reported to them by moveLINQ users. When possible, moveLINQ System\nAdministrators resolve moveLINQ issues. If the administrator cannot resolve an issue, the issue\nis escalated to mLINQS, the vendor. The System Administrator notifies the users of the length of\nthe expected problem and notifies them again when the issue is resolved.\n\n\n\n                                               81       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cISS performs differential backups of the moveLINQ production database nightly and performs a\nfull tape backup weekly. The nightly backups are kept on-site for four weeks. The monthly full\nbackup tapes are sent to a long-term off-site facility for two years.\n\nSee Control Objective 20 for further discussion of the backup process.\n\nRSB maintains the data in the moveLINQ system for six years and three months.\n\nInvoice Processing Platform (IPP)\nIPP is a web-based system hosted by the Federal Reserve Bank of Boston (FRBB). FRBB has a\ncustomer service center for both agencies and suppliers including a help desk phone line and e-\nmail address. When IPP system issues arise, Fiscal Service sends an e-mail to the IPP Customer\nSupport Center at FRBB for investigation and resolution by FRBB.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected physical access policies and procedures for the data center and determined that they\n   were documented and that they included the identification of sensitive/critical areas to which\n   access needs to be restricted, physical access controls designed to detect unauthorized access,\n   and procedures for log reviews and investigation of violations.\n2. Observed physical access controls of Fiscal Service buildings and the ISS data center to noted\n   that security guards, video cameras, badge readers, and locked doors were in place and in\n   operation to restrict access.\n3. Observed persons entering Fiscal Service buildings and noted that persons were required to\n   place any materials, packages, bundles, etc. onto an x-ray machine, and additionally were\n   required to pass through a walkthrough metal detector.\n4. Observed persons entering Fiscal Service buildings and noted that an activation of the\n   walkthrough metal detector resulted in further screening by the security guard, utilizing a\n   handheld metal detector to identify the source of activation.\n5. Observed an entrant swipe their badge into the access control system and noted that the\n   controls system granted access to authorized personnel.\n6. Inspected a list of employees with card key access to the data center and tape storage room\n   from the card security system and an organizational employee listing showing employees\n   requiring access to the data center and tape storage room and determined that physical access\n   to the ISS data center was restricted to authorized employees only.\n7. For a selection of employees and contractors granted access to the data center, inspected the\n   iET record for granting access and determined that access was approved by the data center\n   manager.\n8. For a selection of dates, inspected visitor logs and determined that visitor logs were used.\n9. For a selection of dates, inspected the One Day Badge logs and determined that an inventory\n   of vendor badges was performed.\n10. Inspected documentation of the monthly review of physical access privileges to the data\n    center and determined that access privileges were reviewed.\n11. Inspected documentation of the annual recertification of physical access privileges to the data\n    center and determined that access privileges were recertified.\n12. Observed Manage Engine OP Manager and HP Site Scope, and noted that these applications\n    are installed and in use by ISS staff.\n                                               82       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c13. Observed variance monitoring logs and noted that they automatically generated alerts from\n    HP\xe2\x80\x99s Site Scope and determined that the application provided monitoring over websites, FTP\n    servers, and web servers and that ISS staff reviewed these logs and alerts.\n14. Observed the Andover monitoring application and noted that the application was installed\n    and used to monitor ISS data center environmental conditions.\n15. Observed the ISS data center and noted that sprinklers, hand-held fire extinguishers, and\n    raised floors were present.\n16. Inspected completed maintenance work orders and inspection reports for the uninterruptible\n    power supply (UPS), and the emergency power generator and determined that the generator\n    and UPS were maintained.\n17. Observed deployed environmental controls and noted that environmental controls were\n    present.\n18. Observed Oracle operations manuals and noted that the manuals were available to support\n    personnel.\n19. Observed internal application setup and security documentation, as well as various manuals\n    and noted produced by Oracle Corporation and determined that Oracle support personnel had\n    adequate access to materials.\n20. Observed PRISM application setup and security documentation and system manuals and\n    noted that documentation was available to support personnel.\n21. Inquired of management and determined that the PRISM Support Team fielded calls for\n    incidents related to PRISM.\n22. Inspected ARC\xe2\x80\x99s maintenance agreement for webTA and determined that it was current.\n23. Inspected a backup schedule and backup log report of the production system and determined\n    that nightly differential and weekly full tape backups are performed\n24. Observed the Iron Mountain SecureSync website and noted if WebTA monthly backup tapes\n    were sent to a long-term offsite facility.\n25. Inspected the GovTrip incident escalation procedures and determined that incident escalation\n    procedures are documented and available to support ARC staff personnel in investigating and\n    attempting to resolve any system issues.\n26. Inspected the GovTrip incident escalation procedures and determined that if TSD staff cannot\n    resolve an issue they escalate the issue to NGMS.\n27. Inspected ARC\xe2\x80\x99s maintenance agreement with moveLINQS and determined that it required\n    moveLINQS to provide software and technical support for moveLINQ.\n28. Inspected RSB System Administrators escalation procedures and determined that when an\n    RSB Administrator cannot resolve an issue, they escalate the issue to mLINQS.\n29. Inspected the agreement with the offsite storage vendor and determined that a formal\n    agreement was in place for the offsite storage of data in real time.\nNo exceptions noted.\n\n\n\n\n                                             83       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 20 \xe2\x80\x93 Records Maintenance\n\nControls provide reasonable assurance that source document files are retained and safeguarded in\naccordance with ARC and Fiscal Service\xe2\x80\x99s Records Management Office policies and procedures.\n\nDescription of Controls\n\nmoveLINQ\nISS performs backups of specified distributed systems and applications as identified by the data\nowners. These backups are performed by the guidelines set forth in the Standard Operating\nProcedures. Once the backups have been completed, the media can be moved to an alternate\nfacility as long as the data is encrypted. Once media is identified as needing to be moved off-site,\nEnterprise Infrastructure Branch (EIB)/Data Archival and Retrieval Team (DART) is notified\nwith the specified media ID numbers and the desired retention period. EIB/DART will remove\nthe specified media from the tape library and send it to the Fiscal Service Warehouse and\nOperations Center in sealed containers. The location of media is tracked by the various systems\nthat create the images on the media using data backup utilities. In addition, EIB/DART maintains\ncopies of all transmittal sheets that list the media sent in each shipment. Once a week media is\npicked up and returned by the off-site storage provider. Long-term offsite storage is provided\nthrough a contract. Authority to recall tapes from off-site is limited to those individuals identified\non a list maintained by the off-site storage provider.\n\nBased on the requirements for the data in the accounting, procurement and relocation systems,\nbackup tapes are created daily, weekly, and monthly. Daily backups are retained onsite for four\nweeks in the data center tape vault. Weekly backups are retained for eight weeks onsite and\nmonthly backup tapes for two years to indefinitely depending on the data contained, are stored\noffsite with a tape storage vendor. For the HR time clock system tapes are created weekly and\nstored off site for two to eleven years depending on the data.\n\nWhen tapes are returned from long-term storage, ISS reconciles the shipment that they have\nreceived to their records of the tapes expected to be returned.\n\nOn an annual basis, ISS performs a full physical inventory of all backup tapes that are in Fiscal\nService\xe2\x80\x99s possession, both at the data center tape library in Parkersburg, West Virginia and at the\nWarehouse and Operations Center.\n\nNetwork File Servers\nDifferential tape backups of network servers are created daily. On a weekly basis, ISS completes\na full back up of all ARC shared network files to a data tape. ISS retains the backup tapes for five\nweeks.\n\nRecord Storage\nAutonomy is a National Archives and Records Administration (NARA) approved records storage\nsystem used by ARC. Hard copy data records are kept in folders and/or binders on-site for one or\ntwo years. When hard copy data records are ready to be transferred off-site, they are either stored\nin boxes or they are scanned and stored electronically.\n\nData records that will be retained in hard copy are packed into boxes and sent to off-site storage.\nPrior to sending the boxes off-site, a description of the data being stored in the box, including the\nbox\xe2\x80\x99s latest document date, and approved retention authority is entered into Autonomy. Fiscal\nService\xe2\x80\x99s Records Management Office approves the box for storage and produces a label that is\n\n\n                                                84        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cplaced on the box. The label includes a unique box number, bar code and box description. The\ndestruction date is calculated using the approved retention period and the latest document date.\n\nHard copy data records may also be scanned and metadata is recorded in Autonomy. Data\nrecords are stored in Autonomy folders based on the data's calculated destruction date using the\napproved retention period and the latest document date. This method provides for quicker access\nto archived data.\n\nFor relocation documents, active hard copy records are locked after hours. Inactive and closed\nhard copy records are maintained in a locked onsite storage room.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Observed the online tape management system and noted that data was encrypted prior to\n   being written to tape and sent off site.\n2. Inspected a list of individuals with authority to recall tapes from offsite storage and their job\n   descriptions and determined that authority to recall tapes was commensurate with job\n   responsibilities.\n3. Observed the online tape management system and contingency site Tape Manifests and noted\n   that tapes were kept at three separate locations.\n4. Inspected the agreement with the offsite storage vendor and determined that a formal\n   agreement was in place for the offsite storage of media.\n5. Observed Operations Personnel step through the process of opening received packages of\n   tapes from Iron Mountain and noted that they compared the contents of the package to the\n   tape management records.\n6. Inspected the full physical inventory documents of all backup tapes that were in Fiscal\n   Service\xe2\x80\x99s possession and determined that the annual tape inventory was performed.\n7. For a selected network file server used by ARC, inspected system-generated backup\n   schedules and backup logs and determined that daily differential backups and weekly full\n   backups of the file server were scheduled and successfully completed.\n8. Observed the location of the on-site hard copy records and noted that the hard copy records\n   were stored on-site in folders for specified time period.\n9. Inspected an example of a hard copy records offsite shipment box and determined that\n   appropriate descriptions were documented.\n10. Observed hardcopy records scanned into the Autonomy and noted that they were scanned.\n11. Inspected hard copy records destruction logs and determined that the log identifies the hard\n    copy records that were destroyed, date approved, and approved by Manager of the files\n12. Observed the Autonomy system and noted that the records could be created, requested, and\n    saved electronically using Autonomy, which was maintained by ASB.\n13. Observed the location of the active hard copy data records and noted that the hard copy\n    records were locked after hours.\n14. Observed the location of the inactive hard copy data records and noted that the hard copy\n    records were stored in a locked onsite storage room.\n\n\n\n\n                                               85       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c15. Inspected the list of authorized individuals that had access to the onsite storage room and\n    determined that only authorized individuals had access.\n\n\nNo exceptions noted.\n\n\n\n\n                                            86        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cV. OTHER INFORMATION PROVIDED BY THE\n   ADMINISTRATIVE RESOURCE CENTER\n\n\n\n\n                87        Other Information Provided by the\n                            Administrative Resource Center\n\x0cCONTINGENCY PLANNING\n\nSystem Back Up\nThe Oracle Federal Financials (Oracle) accounting system has a contingency plan managed by\nthe Administrative Resource Center (ARC). There is a formal ARC Business Continuity Plan\n(BCP), which was last updated in January 2013. All essential Oracle functions will be performed\nwith the support of ARC employees. Full disaster recovery testing is performed on an annual\nbasis in conjunction with the Bureau of the Fiscal Service\xe2\x80\x99s (Office of Information Technology\nand security services (ISS), Data Center\xe2\x80\x99s Disaster Recovery Plan (DRP). The Oracle primary\ndatabase servers, located at Oracle on Demand's primary site in Austin, TX, are replicated near\nreal time using Data Guard to a contingency location. Oracle's Network File System (NFS)\nserves as the secondary back up of live data for the application. Data from the NFS is sent to tape\nback-up twice weekly and stored at an offsite location. These tapes serve as a tertiary back-up.\n\nISS performs differential backups of the moveLINQ production database nightly and performs a\nfull tape backup weekly. The nightly backups are kept on-site for four weeks. The monthly full\nbackup tapes are sent to a long-term off-site facility for two years. The moveLINQ application is\ntested annually using a table top exercise.\n\nNGMS is responsible for system backup of GovTrip and maintains data in their Business Data\nWarehouse for six years and three months.\n\nInvoice Processing Platform (IPP) data is stored and backed-up on the storage area network\n(SAN) and replicates every 5 minutes between EROC (East Rutherford Operational Center) and\nDallas. Federal Reserve Bank of Boston (FRBB) does a disaster recovery exercise for\ncontingency planning, typically in February, to test the failover of IPP from their hosting facility\nin EROC to Dallas. The test ensures that the application successfully moved to Dallas, but does\nnot require agencies to point to a different IP address in Dallas to submit a file due to its manually\nintensive nature.\n\nContinuity of Operations\nA fire alarm and sprinkler system that is managed, maintained, and tested by the building\nmanagement protects ARC and ISS facilities. Alarms are active 24 hours a day, 7 days a week,\nand are tied to a local alarm services company for spontaneous notification. Sprinkler heads are\nlocated in the ceiling of each room of the buildings. This is a \xe2\x80\x9cwet pipe\xe2\x80\x9d (always charged with\nwater) system with individual heads that discharge water.\n\nIn the event the main building becomes inoperable, network operations would be relocated to the\nKansas City Regional Operations Center (KROC) facility in accordance with the ISS data\ncenter\xe2\x80\x99s DRP. This facility employs a \xe2\x80\x9cwarm site\xe2\x80\x9d strategy for recovery of network operations.\n\nAs part of the ARC BCP, should ARC facilities become unavailable, essential ARC personnel\nwill relocate to established telework locations to reestablish their essential functions.\n\n\n\n\n                                                88               Other Information Provided by the\n                                                                   Administrative Resource Center\n\x0c"